The Federal Trade Commission (FTC) recently took enforcement action against digital healthcare companies for sharing user information vie third-party tracking pixels, which enable the collection of user data. At the start of the year, the U.S. Health and Human Services Office of Civil Rights issued its own bulletin with guidance regarding tracking pixel technology for covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). However, the FTC’s new focus highlights that issues with pixel tracking are not only a concern for covered entities and business associates under HIPAA.

The following definition of pixel tracking from the FTC is helpful:

Tracking pixels have evolved from tiny, pixel-sized images on web pages for tracking purposes to include a broad range of HTML and JavaScript embedded in web sites (and email). Tracking pixels can be hidden from sight and can track and send all sorts of personal data such as how a user interacts with a web page including specific items a user has purchased or information users have typed within a form while on the site. Businesses often want to use them to track consumer behavior (pageviews, clicks, interactions with ads) and target ads to users who may be more likely to engage or purchase something based on that prior online behavior.

In its recent article about pixel tracking, the FTC discusses concerns about the practice:

  • Ubiquity and persistence. The FTC cited to significant research indicating that thousands of the most visited websites have pixels potentially leaking personal information to third parties. And, unlike cookies which can be disabled, “[p]ixel tracking can still occur even if cookies are disabled.”
  • Lack of clarity. The technology permits any kind of data to be shared and in some cases the providers of the technology are not sure what data is being shared. This can leave consumers in the dark about the categories of their personal information shared with third parties as a result of their activity on a website.
  • Steps to remove personal information may be ineffective. The agency notes that some attampts to appropriately remove personal information may be inadequate. As an example, while some pixel technologies attempt to “hash” personal information to scramble personally identifiable information, that scambling can be reversed.

The concerns raised by the FTC are more general than just HIPAA and go to consumer privacy and data protection. For example, the FTC observed:

Companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and your privacy promises to consumers.

As such, even companies outside of healthcare need to consider their use of pixel technology to ensure compliance with state and federal laws on the protection of consumer data. And, in particular, businesses need to consider what promises they are making to consumers, such as in their website privacy policies and terms of use.  

If questions about compliance with consumer privacy and data protection or related issues, contact a Jackson Lewis attorney to discuss.  

On March 7, 2023, the Consumer Financial Protection Bureau (CFPB), the federal government agency charged with protecting consumers in the financial sector, and the National Labor Relations Board (NLRB), the federal government agency tasked with protecting private sector employees’ rights to engage in union organizing and other concerted activity, announced an information sharing agreement in order to better protect both consumers and workers.

The announcement indicated that shared areas of concern for the two agencies include employer surveillance and employer-driven debt. The CFPB hopes that sharing information with the NLRB will support the agency’s efforts to end “debt traps” in employment. Last year the CFPB began seeking information about risks consumers face from employers, such as workers who take on debt due to employer-mandated training and equipment.

In the announcement, the NLRB General Counsel echoed concerns previously addressed by the NLRB in a memorandum last year regarding employers’ use of electronic monitoring and automated management in the workplace and the potential chilling effect on organization efforts.

The information-sharing agreement does not create a legally binding obligation between the CFPB and the NLRB and does not waive any existing statutory or regulatory requirements governing the disclosure of nonpublic information. Both agencies will still be required to protect the confidentiality of nonpublic information and personally identifiable information.

Businesses should take note of this new agreement and partnership as it could mean an increase in investigations and charges triggered by information shared between the agencies. The announcement specifically identified the “gig economy” as a focus of concern among the agencies.

If you have questions about CFPB and NLRB efforts or related issues, contact a Jackson Lewis attorney to discuss.

On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and  Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a comprehensive consumer privacy statute.

Covered Businesses

Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.

Consumer Defined

Under the statute, a consumer is defined as a natural person who is a resident of Iowa and acting only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.

Personal Data

The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.

Consumer Data Rights

 The statute provides consumers with the following rights:

  • To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
  • To delete personal data provided by the consumer.
  • To port the personal data.
  • To obtain a copy of the consumer’s personal data with certain limitations.
  • To opt out of processing for the sale of personal data or targeted advertising.

Covered Business Obligations

Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:

  • Respond to consumer requests without undue delay, but in all cases within 90 days of receipt of the request. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
  • If the covered business declines to take action, it must inform the consumer.
  • Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.

In addition to complying with consumer requests covered businesses must:

  • Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Protect sensitive data, which is a broad category under the statute that includes racial information, biometric data, and even geolocation under the statute but not processing such data without the consumer having been presented clear notice and an opportunity to opt-out of such processing.
  • Avoid processing data in such a way as to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute including denying goods or services or changing the prices or rates.
  • Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.  
  • Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.

Enforcement

The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.

For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

While the California Privacy Protection Agency (CPPA) only recently approved revised amended regulations pertaining to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), it is already on to its next rulemaking.

On February 10, 2023, the CPPA issued an invitation for preliminary comments on proposed rulemaking pertaining to cybersecurity audits, risk assessments, and automated decision-making. The invitation includes some specific questions the CPPA would like to receive comments on, but comments are not limited to those areas of inquiry.

The comment period will be open until March 27, 2023, and can be submitted:

Electronic: Comments may be submitted electronically to regulations@cppa.ca.gov. Please include “PR 02-2023” in the subject line.

Mail: California Privacy Protection Agency Attn: Kevin Sabo 2101 Arena Blvd Sacramento, CA 95834

The questions posed by the CPPA appear to be attempting to harmonize the efforts of the CPPA with other laws other than the CCPA and CPRA that apply to covered businesses. There are also specific questions regarding the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as Colorado’s Privacy Act, suggesting that the CPPA is looking more widely than mere consistency with California law.

If you have questions on the CPPA rulemaking or related issues, contact a Jackson Lewis attorney to discuss.

While programs such as Artificial Intelligence bots that can write poetry or develop art are capturing people’s interest, administrative agencies across the country are concerned about how similar technology including algorithms and automated decision making may affect employees and consumers alike. The Equal Employment Opportunity Commission (EEOC) to the New York City Department of Consumer and Worker Protection are issuing guidance and regulations about AI and related technologies.

The latest administrative body to join the fray is the Colorado Division of Insurance. At the start of February, the Division issued a draft of proposed regulations pertaining to algorithm and predictive model governance. The purpose of the regulation is to establish requirements for a life insurance company’s internal governance and risk management necessary to ensure that the company’s use of consumer data and information, as well as algorithms and predictive models, does not result in unfair discrimination. This is a similar concern voiced in much of the guidance and regulations around the country.

The Division of Insurance’s proposed regulations includes governance and risk management framework, documentation mandates, and reporting requirements. The regulations would require life insurers that use external consumer data and information sources (ECDIS) as well as algorithms and predictive models using ECDIS to establish a governance and risk management framework that ensures the ECDIS is credible, and its use does not result in unfair discrimination.

That framework includes components that are similar to what we are seeing in other efforts to regulate AI and related technologies. These include:

  • Documenting governing principles aimed at transparency and accountability.
  • Board of directors and senior management’s responsibility and accountability for strategy and use of ECDIS and the algorithms and predictive models using ECDIS
  • Establishing written policies and processes for design, development, testing, deployment, use, and ongoing monitoring
  • Maintaining a process for addressing consumer complaints and inquiries, one that provides sufficiently clear information to enable consumers to take meaningful action in response to adverse decisions. 

Additionally, as with other regulations in this area, insurers will be required to document their use of ECDIS and algorithms and predictive models using ECDIS, and report to the Division of Insurance progress toward compliance with the applicable regulatory requirements.

The type of regulation proposed by the Division of Insurance is going to proliferate as algorithms and automated decision-making tools become more and more common. As such, businesses exploring these technologies should consider putting similar measures and principles in place – e.g., governance, documentation, accountability, notice, and responsibility – during the design, development, testing, deployment, use, and monitoring phases.

This post deals with another data breach, yes, hackers were able to compromise the organization’s systems and exfiltrate personal information relating to over 45,000 Pennsylvania and Ohio residents. However, there are several important takeaways from this case, including cybersecurity in corporate transactions, data retention and destruction, and incident response planning.

According to the Assurance of Voluntary Compliance agreed to in this matter with Pennsylvania’s Acting Attorney General Michelle Henry:

  • As part of the 2021 breach, the hackers exfiltrated 28 databases from the organization’s network. Those databases were obtained by the organization as part of an acquisition that occurred nearly 10 years earlier, and they had not been used for any business purpose since. The organization claimed that the databases were inadvertently transferred to it as part of the transaction without the organization’s knowledge.
  • In May of 2021, the organization began receiving alerts concerning suspicious activity on its networks. When additional alerts came in August of 2021, indicating Cobalt Strike malware in the environment, the organization initiated its incident response plan.

In response to these and other allegations made by the Acting AG Henry and in coordination with the Ohio Attorney General’s office, the organization settled. According to the settlement, it will pay each state $200,000 and will adopt a compliant information security program within 180 days of the settlement.

So, what are the takeaways?

Transactions. As one cyber leader put it recently:

Mergers and acquisitions give organizations the potential to increase capabilities, diversify offerings and expand market share, but they also present considerable risks. And while companies usually review financial, strategic, legal and operational details before completing an M&A transaction, another important concern is often overlooked: cybersecurity.

The obligations to assess data risk in a transaction extend to that which is acquired (What are the reps? What are we getting? Do we want/need it? etc.) and that which is divested (Can we disclose? How should we transfer? etc.).  A complete inventory of systems and information assets in a transaction clearly would help acquiring organizations make prudent decisions about what should be retained, how best to safeguard what is retained and used, and do public statements about safeguards track their practices with respect to that data.

Data Retention and Destruction. Simply stated, organizations should only collect personal information they need, keep it only for as long as they need it, and when it is no longer needed, it should be destroyed or made unreadable. This is much more difficult in practice, of course. However, a good starting point is inventorying what personal information the organization has and continues to collect, and then make some determinations about whether that information is needed or can be eliminated. Increasingly, regulations are mandating implementation of these principles. See, for example, section 7002(d) of the CCPA regulations (awaiting final approval) which states:

“Whether a business’s collection, use, retention, and/or sharing of a consumer’s personal information is reasonably necessary and proportionate to achieve the purpose identified [the regulations], or any purpose for which the business obtains consent, shall be based on the following: (1) The minimum personal information that is necessary to achieve the purpose identified…or any purpose for which the business obtains consent.”

If those purposes cease to exist, retention also may need to cease.

Incident response planning. Simply having an incident response plan is not enough, although it is a good start. According to a WSJ survey, 74% of companies say they have “an incident response management strategy,” but only 23% surveyed tested their plan twice a year or more. For a whole host of reasons, responding to an incident can take time, but reacting as quickly as possible can help minimize the scope of the incident and mitigate harm. Regular and frequent training and tabletop exercises on a well-developed incident response plan can go a long way toward preparing the organization to face significant security incidents. 

After a significant delay, on February 3, 2023, the California Privacy Protection Agency (CPPA) unanimously approved amended regulations. The new regulations have not yet gone into effect as they must first be approved by the Office of Administrative Law (OAL). The CPPA’s General Counsel advised that there is no guarantee that the regulations would be approved on the first go-around. As the OAL has 30 business days to determine whether the CPPA complied with all rulemaking requirements, it is anticipated the regulations may take effect as early as April 2023.

The revised regulation is intended to do the following:

  1. Update existing regulations to fit with amendments made by the California Privacy Rights Act (CPRA).
  2. To put into operation new rights and concepts introduced by the CPRA
  3. Make the regulations more streamlined and easier to understand.

The revised regulations include regulations on data processing agreements, consumer opt-out mechanisms, mandatory requirements for recognition of opt-out preference signals, and consumer request handling.

The regulations were not substantively changed from the second modification in October 2023, which included:

  • Sections clarifying how consumers can opt out of having their data sold or shared, including via opt-out preference signals.
  • Provisions providing allowances for enforcement flexibility, which are intended to assuage businesses’ concerns that the current delay in adopting final regulations will present compliance challenges.
  • Allowances for businesses, service providers, and contractors to delay compliance with requests to correct archived or backup systems until the data is restored to an active system or is next accessed or used.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On the eve of Data Privacy Day, the California Attorney General announced a new investigative focus for compliance with the California Consumer Privacy Act (CCPA) on mobile applications, specifically popular apps in the retail, travel, and food service industries. The Attorney General sent letters to businesses with mobile applications that have allegedly failed to comply with consumer opt-out requests, do not offer any mechanism for consumers who want to stop the sale of their data, or failed to process consumer requests submitted via an authorized agent, including via third-party applications such as Permission Slip.

The Attorney General stated this new focus on mobile application compliance comes due to the wide array of sensitive information applications can access on an individual’s mobile device.

Under the CCPA, businesses that receive notices have 30 days to fix the alleged violations before an enforcement action may be initiated by the state.

This announcement of further potential enforcement actions comes only four months after the state’s first enforcement action and settlement under the CCPA, which resulted in a settlement of $1.2 million in penalties, as well as injunctive relief.

Businesses with mobile applications should review compliance requirements and whether their mobile applications are following these and other CCPA requirements, including the changes made by the California Privacy Rights Act (CPRA).

If you have questions about compliance with the CCPA or related issues, contact a Jackson Lewis attorney or the CCPA Team.

To celebrate Data Privacy Day, we present our top ten data privacy and cybersecurity predictions for 2023.

1. Healthcare and Medical Data Security and Tracking

The healthcare industry has been facing increased scrutiny for the protection of healthcare information both online and on apps.

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further. 

Businesses in the healthcare industry should continue to work with counsel to review new ways of delivering healthcare services, including new technologies, with an eye toward the protection of medical information and privacy for patients. Building in protections from the outset can have significant advantages. Of course, medical device and technology companies also will need to consider how their devices and technologies could capture or affect medical information and the corresponding regulatory requirements and best practices.

2. A Patchwork of Legislation and Regulations Pertaining to Privacy and Cybersecurity

Currently, nine states are considering consumer privacy bills; Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. This is already a complicated arena with California, Colorado, Connecticut, Utah, and Virginia that have laws on the books.

More cities and states will implement cybersecurity regulations with a view toward data protection and privacy, including in specific industries. In 2022, for example, we saw government entities such as the Nevada Gaming Commission issue security regulations for regulated entities in the gaming industry. The  New York State Bar is now requiring its members, lawyers practicing in New York, to have annual continuing legal education in cybersecurity.

The Biden Administration released its regulatory agenda which aimed at new cybersecurity requirements for government contractors, the maritime industry, public companies, and others. The Securities and Exchange Commission has also set goals to enact new cybersecurity regulations.

It will be important in 2023 for businesses to be more aware than ever about the data they are collecting, why it is processed, and how it is stored and safeguarded in order to comply with the myriad of privacy laws around the country.

3. California, California, California

California will continue to be a leader in the privacy data space, with both the implementation of its first-in-the-nation comprehensive consumer privacy law and further enforcement actions under that law. California will be sure to shape both state and national viewpoints on privacy requirements.

The California Privacy Protection Agency (CPPA) continues to work on revisions to regulations for the California Privacy Rights Act (CPRA). These changes are critical for covered organizations with respect to both their commercial activities and when functioning as an employer.

It does not stop there. Another first for California is that it is the first state to adopt a comprehensive law, AB 2273, addressing children’s online privacy.

4. Employee Privacy and Monitoring

As remote working remains mainstream, we will see more regulation on the monitoring of and privacy protections for employees. Last year, the NLRB’s General Counsel issued a memo on the electronic monitoring of employees. In the memo, the General Counsel suggested employers establish “narrowly tailored” practices to address “legitimate business needs” as to whether the practices outweigh employees’ Section 7 interests. If the employer establishes that its narrowly tailored business needs outweigh those rights, the General Counsel nonetheless will “urge the Board to require the employer to disclose to employees the technologies it uses to monitor and manage them, its reasons for doing so, and how it is using the information it obtains,” unless the employer can establish special circumstances.

In some industries, “workplace” monitoring goes beyond the home office. Consider transportation and logistics. An increasing number of states are advancing legislation on digital license plates, which could include related vehicle tracking and related telematics technologies. California’s recent statute on vehicle tracking and fleet management creates significant obligations for employers monitoring their fleets using these technologies.

5. Federal Government to Join in Privacy Regulation

We’re going out on a bit of a limb here as there have been predictions year after year that the federal government would enact a national privacy standard. Of course, none of those predictions turned out.  For sure, the federal government is on a much slower path toward joining states in privacy regulation, but we definitely see the federal government continuing its efforts whether via administrative regulations by the Federal Trade Commission or proposed legislation toward national privacy protection. Perhaps this is the year!

6. AI, Automated Decision Systems and Privacy

2022 saw a tremendous uptick in the attention to and use of AI and Automated Decision Systems, along with the potential effects of both in employment and related circumstances. Naturally, this raises significant privacy concerns among many stakeholders, including the Biden Administration. According to the framework issued by the White House in 2022 pertaining to the use of AI, data privacy was one of the five protections that individuals should be entitled to when using AI.

As the use of AI and automated decision systems continues to spread through industries and everyday life, how individuals’ privacy will be safeguarded will be a growing concern.

7. More privacy-related lawsuits

2023 will see more privacy-related lawsuits as privacy laws proliferate across the country.

We will continue to see more litigation under Illinois’ Biometric Information Privacy Act (BIPA) as plaintiff’s attorneys find more places that the law could apply from dash cams to timekeeping. Other states may enact laws that fuel more litigation, as several states including Maryland, Mississippi, and New York are considering biometric privacy laws. The facial recognition ban in the city of Portland a few years ago is beginning to see lawsuits filed under the ordinance.

While BIPA and the Telephone Consumer Protection Act (TCPA) continue to drive a significant amount of litigation, there is an emerging trend in cases seeking to apply newer technologies to privacy statutes such as the California Invasion of Privacy Act (CIPA), the Florida Telephone Solicitation Act (FTSA), the Video Privacy Protection Act (VPPA), and the Genetic Information Privacy Act (GIPA).

8. EU Continued Enforcement of Privacy Laws

Companies transferring personal data from the EEA (European Economic Area) to the U.S. may soon have an opportunity to leverage a new transfer mechanism. In October, President Biden signed Executive Order 14086 as part of the process to implement the EU-U.S. Data Privacy Framework (DPF), successor to the invalidated EU-U.S. Privacy Shield framework. The EU Commission has issued a draft decision that, upon adoption, will enable the DPF to proceed. In the meantime, the U.S. Department of Commerce announced it will help current U.S. Privacy Shield participants prepare to transition to the new framework.

In October, the European Data Protection Board approved Europrivacy, the first European Data Protection Seal. Europrivacy is a certification mechanism designed to help data controllers and processors demonstrate compliance with the GDPR.

Artificial Intelligence and data protection remain a top priority for the U.K. Information Commissioner’s Office. In November, the ICO published How to Use AI and Personal Data Appropriately and Lawfully. Earlier in the year, the EU Commission published an updated proposal for Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act). The proposal creates a legal framework and includes principle-based requirements for AI systems, harmonized rules for the development and use of AI systems, and a regulatory system.

9. Ransomware Attacks and Data Breaches Will Continue as Will Secondary Enforcement Actions

We will continue to see a flow of ransomware attacks, business email compromises, and other data breaches stemming from crafty hackers and cybersecurity lapses. In addition to business interruption costs and direct expenses incurred to respond to the incident, organizations will likely face more enforcement actions as states continue to tighten their data breach notification requirements.

Organizations cannot prevent all attacks from happening, but they can redouble their efforts around regulatory compliance, preparedness, and incident response planning. The stronger an organization is in these three areas, the more successful it likely will be in resolving a government agency enforcement action relating to a data breach.

10. More Focus on Critical Infrastructure Sector When it Comes to Cybersecurity and Privacy

In 2022, we saw the passage of federal legislation Cyber Incident Reporting for Critical Infrastructure of 2022 included within the Consolidated Appropriations Act, 2022. In short, the law requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):

  1. a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
  2. any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported)

Because of the ongoing threats to critical infrastructure, the Cybersecurity Infrastructure Security Agency (CISA) has started to focus more on this sector, as small to medium-sized providers have been under threat. Recently, CISA stated in its review of 2022, that the agency would narrow in on “target-rich, resource-poor entities” such as small water facilities that are part of critical infrastructure but don’t have large security teams.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2023.

Happy Privacy Day!

The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context. 

On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.

While not an exhaustive list, the Proposed Draft Rules:

  • provide an extensive list of defined terms;
  • set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
  • address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
  • require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
  • address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
  • detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
  • detail duties regarding processing sensitive data (i.e., obtaining consent);
  • outline the affirmative obligation to safeguard consumer personal data;
  • set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
  • detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).

The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes: 

  • add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers);  amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
  • permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
  • detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
  • provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
  • provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
  • list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
  • require that an interface used to request consumer consent include specific disclosures;
  • detail when the controller must refresh consent received from a consumer to process certain personal information;
  • prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
  • replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
  • permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.

The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.