The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context.
On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.
While not an exhaustive list, the Proposed Draft Rules:
- provide an extensive list of defined terms;
- set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
- address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
- require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
- address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
- detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
- detail duties regarding processing sensitive data (i.e., obtaining consent);
- outline the affirmative obligation to safeguard consumer personal data;
- set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
- detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).
The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes:
- add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers); amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
- permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
- detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
- provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
- provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
- list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
- require that an interface used to request consumer consent include specific disclosures;
- detail when the controller must refresh consent received from a consumer to process certain personal information;
- prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
- replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
- permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.
The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.