On July 7, 2021, Colorado enacted the Colorado Privacy Act (CPA), becoming the third U.S. state to adopt a comprehensive privacy law. As previously described, the CPA doesn’t apply to everyone. Instead, it only applies to “controllers” that conduct business in Colorado and either processes or controls personal data of at least 100,000 Colorado residents per year, or processes and controls the personal data of at least 25,000 and derives any revenue from, or receives a discount, on the sale of personal data. The CPA provides similar rights to consumers as found in the California Privacy Rights Act (CPRA) such as rights to access, correct, and delete personal information together with the right to opt-out of the use of personal data for targeted advertising, but also includes a new right to appeal denied requests.
The CPA grants enforcement powers to the Colorado Attorney General but also obligates them to develop rules governing the privacy of Colorado residents’ personal information and implementing the CPA. This authority includes adopting new regulations regarding the implementation and interpretation of the CPA, and specifically to adopt rules regarding the technical specifications of one or more opt-out mechanisms to communicate a consumer’s affirmative, freely given, and unambiguous choice to opt-out of processing for the purposes of targeted advertising or the sale of personal information.
After engaging in a pre-rulemaking process in which the Attorney General sought input from interested persons about the upcoming rulemaking, the Attorney General released the proposed Colorado Privacy Act Rules (Draft Rules) on September 30, 2022 kicking off the notice-and-comment rulemaking phase. At almost 40 pages long, the Draft Rules are now available for public comment.
Draft Rules Highlights
The Draft Rules address requirements for consumer disclosures (privacy notices), how consumers may submit requests to exercise their privacy rights under the CPA and requirements for responding to those requests, requirements for universal opt-out mechanisms, requirements of loyalty programs, data minimization and permitted uses of personal data, consent requirements for the use of sensitive data, recordkeeping obligations, avoiding dark patterns and other interface requirements, data protection assessments, and profiling. Some of the more impactful provisions include:
- Universal Opt-Out Mechanisms. The Draft Rules require that controllers be capable of recognizing the universal opt-out mechanism that would function either by listening for an opt-out signal or querying a “do not sell” list that would be published.
- Privacy Notices. The Draft Rules describe the content of privacy notices required under the CPA. Consistent with FTC guidelines, the controller must notify consumers and obtain consent of substantive or material changes to the company’s privacy practices, but the CPA sets a requirement that the notice be updated at least 15 days prior to the change going into effect. While the Draft Rules explicitly state that a separate, Colorado-only privacy notice is not required, the privacy notice requirements in the Draft Rules are different enough from the privacy notice requirements in other jurisdictions that a separate Colorado-only privacy notice may ultimately be most practical for most businesses.
- Consent. The Draft Rules specify the circumstances when controllers must obtain consent, such as before processing personal data involving a known child, sensitive data, personal data in specific instances after a consumer has opted out of processing, and personal data that has been collected for a different reason. Many aspects of the consent requirements are consistent with the EU’s General Data Protection Regulation. The Draft Rules also include a first-of-kind provision requiring that consent be refreshed at regular intervals and annually for sensitive data.
Next Steps in Rulemaking Process
To gather feedback from stakeholders, the Attorney General’s Office will host three virtual stakeholder meetings to discuss the proposed draft rules. These stakeholder sessions will occur November 10, 15, and 17, 2022, and focus on specific topics addressed in the CPA and Draft Rules, including consumer rights and universal opt-out mechanisms, business obligations and data protection assessments, and profiling, consent, and definitions.
In conjunction with the publication of the Draft Rules, the Colorado Attorney General’s Office will hold a public hearing on February 1, 2023 that will be conducted in person and by video conference. Anyone can request to testify at the rulemaking hearing and submit public comments. The Attorney General then has 180 days to file the adopted rules with the Secretary of State for publication in the Colorado Register. The CPA goes into effect on July 1, 2023, but the Attorney General made clear that he would not start enforcement of the CPA until binding regulations are in effect.
The Attorney General has emphasized that his office is “open for engagement” and that his “number one [enforcement] priority are those who are willfully noncomplying with the law…” The Attorney General has previewed that his enforcement priorities distinguish between businesses that engage in “good faith, well-intentioned compliance, where you make a footfall” and violate the law from those that engage in “willful noncompliance.” Nevertheless, it remains important to begin undertaking certain activities that demonstrate “good faith, well-intentioned compliance.” In a previous post, we discussed ways that businesses could prioritize certain activities that could be re-used across other privacy regimes. If not already, those organizations qualifying as controllers under the CPA should begin engaging in these activities now. After the Colorado rulemaking hearing, the Attorney General will stop accepting public comments as his office finalizes the rules unless he decides to hold another round of amendments. Given that the CPA will go into effect July 1, 2023 and the Attorney General sought input as part of a pre-rulemaking strategy, it seems unlikely that there will be another round of amendments. Therefore, businesses that wish to provide comments should do so during the initial comment period.
Next Steps for Businesses
Although the CPA does not go into effect for another eight months, businesses should start determining now how the obligations under the CPA and Draft Rules fit within their overall privacy compliance efforts with the other four states that have enacted privacy laws. California is the only other state thus far to release regulations to accompany its privacy legislation, and the Colorado Draft Rules differ from California’s in several material ways.
For more information about complying with the CPA, please contact the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.