Keypoint: The changes are mostly controller-friendly with modifications to the privacy notice, consent, and data protection assessment provisions likely to facilitate compliance; however, the draft rules retain many of the hallmark provisions that make the CPA rules a significant and important addition to the U.S. privacy law landscape.
On December 21, 2022, the Colorado Attorney General’s office published revised draft Colorado Privacy Act (CPA) rules. The Office originally published draft rules in September. The revised draft rules consider public input received by the Office through three stakeholder sessions held in November as well as written comments received through early December.
The Office will hold a public rulemaking hearing on February 1, 2023. Interested parties can submit written comments until February 1, 2023, although the Office recommends that comments be submitted by January 18, 2023, if they are intended to be considered at the hearing.
What Did Not Change
Before analyzing the revisions, it is important to note that many of the notable provisions of the CPA draft rules did not change. For example, the draft rules still (i) contain extensive disclosure requirements around bona fide loyalty programs, (ii) suggest that controllers must create and enforce document retention schedules, (iii) contain extensive purpose specification and secondary use requirements, (iv) create a new category of sensitive data called sensitive data inferences, (v) define biometric data and biometric identifiers, (vi) provide robust guidance around obtaining user consent that is reminiscent of EDPB guidance, (vii) require extensive documentation of data protection assessments, and (viii) give significant consideration to the contours of the right to opt out of profiling.
In that respect, although controllers will find a lot to like in the revisions discussed below, the hallmarks of the CPA draft rules that make them a significant and important addition to the U.S. privacy law landscape remain.
What Did Change
In a significant change that will benefit controllers, the revised draft rules no longer require that privacy notices be drafted around processing purposes. The initial draft rules required controllers to describe each processing purpose and provide specific disclosures around that purpose such as (1) the categories of personal data processed, (2) the categories of personal data that the controllers sell to or share with third parties, if any, and (3) the categories of third parties to whom the controllers sell, or with whom the controllers share personal data, if any.
In the accompanying comments, the Office explained that it removed this requirement “[i]n consideration of comments arguing that purpose-based Privacy Notices would be burdensome and would not be interoperable with California Privacy Notice Requirements.” The comments also asked stakeholders to comment on how the draft rules can be made interoperable with the CCPA’s requirements while still considering the CPA’s purpose specification and secondary use requirements and ensuring that consumers have a meaningful understanding of the way their personal data will be used. The Office also solicited input into how controllers intend to draft privacy notices to cover both laws, including whether they will use separate Colorado and California notices, update California notices with Colorado or other state requirements, or revise their main privacy notice to meet Colorado and other non-California state requirements.
With respect to changes in privacy notices, the revised draft rules still require controllers to notify consumers of substantive or material changes to their privacy notices, but they do not need to provide that notice 15 calendar days before a change goes into effect.
The initial draft rules required controllers to refresh consent for processing sensitive data on an annual basis. The revised draft rules now state that refreshing consent is limited to instances in which a consumer has not interacted with the controller in the prior 12 months. Controllers also are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface.
The revised draft rules also remove the provision that would have required controllers to obtain consent to process biometric identifiers or any personal data generated from a digital or physical photograph or an audio or video recording each year after the first year it is stored. However, controllers still must review such information at least annually to determine if its storage is necessary, adequate, or relevant to the express processing purpose for which it was collected.
In a related change, the revised draft rules clarify that, to qualify as a biometric identifier, the data generated of an individual’s biological, physical, or behavioral characteristics must be such that it can be processed for the purpose of uniquely identify an individual. The unique identification requirement was missing from the initial draft.
A lingering compliance question is what controllers will need to do, if anything, with respect to personal data that they collect before the CPA goes into effect, but which will require consumer consent to process after the CPA goes into effect. For example, after the CPA’s July 1, 2023 effective date, controllers will need consumer consent to collect sensitive data. However, after July 1, 2023, do controllers need to retroactively collect consumer consent for sensitive data collected prior to July 1, 2023?
The initial draft rules stated that controllers would need to obtain consent prior to January 1, 2023 to continue processing sensitive data. That was presumably a typo given that consent would need to be obtained six months prior to the CPA’s effective date. The revised draft rules change the date to January 1, 2024. The revised draft rules also clarify that the requirement also applies to the other instances in which the CPA requires consent, i.e., processing personal data for secondary purposes and to circumvent an opt-out choice.
Sensitive Data Inferences
The revised draft rules retain the concept of sensitive data inferences (i.e., inferences made by a controller based on personal data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status). The revised draft rules also still require controllers to obtain consumer consent to process sensitive data inferences. However, under the initial draft rules, controllers were not required to obtain consent to collect sensitive data inferences of consumers over the age of 13 if they, among other things, deleted the sensitive data inferences within 12 hours. The revised draft rules extend that time period to 24 hours.
Universal Opt-Out Mechanisms (UOOMs)
The initial draft rules required the Colorado Department of Law to maintain a public list of UOOMs that it would first need to publish no later than April 1, 2024. That deadline was moved up to January 1, 2024 (i.e., six months before the July 1, 2024, deadline for controllers to recognize UOOMs). In a companion change, the Department of Law will need to allow controllers six months to recognize a UOOM added to the public list. In addition, the revised draft rules remove the provision stating that UOOMs can operate through a means other than by sending an opt-out signal, for example by maintaining a “do not sell” list.
The Office revised a number of regulations to clarify that the prohibition on dark patterns applies when controllers are obtaining consumer consent and not generally to all user interfaces. This issue was raised in comments submitted by the Future of Privacy Forum, authored by Keir Lamont, Tatiana Rice and Felicity Slater. The Office modified the dark patterns provisions in Rule 7.09 (user interface design, choice architecture and dark patterns) and removed the prohibition against using dark patterns from Rule 4.02 (submitting requests to exercise personal data rights) and Rule 5.03 (notice and choice for universal opt-out mechanisms).
Data Protection Assessments
The revised draft rules narrow the topics that controllers must consider in preparing data protection assessments. The initial draft rules identified 18 topics for consideration whereas the revised draft rules now list 13 topics. Notwithstanding these changes, the revised draft rules still require controllers to engage in an extensive analysis when conducting these assessments.
Personal Data Rights
Right to Opt Out
The initial draft rules stated that controllers need to provide an opt-out method either directly or through a link in their privacy notice as well as in a location outside of their privacy notice. The revised draft rules remove the requirement that the method be provided in the privacy notice. The revised draft rules also no longer require that the method be available to consumers at or before the time the personal data is processed for an opt-out purpose.
Right to Access
The revised draft rules clarify that a request to access specific pieces of personal data includes final profiling decisions, inferences, derivative data, and other personal data created by the controller which is linked or reasonably linkable to an identified or identifiable individual.
Right to Correction
The right to correction now does not extend to archive or backup systems until the system is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose. If a controller denies a request to correct based on its determination that the contested personal data is likely accurate, it must provide an explanation of that decision to the consumer.
Controllers also no longer need to instruct processors to correct inaccurate personal data but rather must “use the technical and organizational measures or process established” by processors.
Right to Deletion
If a controller denies a request to delete based on an exception it no longer needs to provide the consumer with “a list” of personal data that was not deleted but rather must provide the consumer with “the categories” of personal data that were not deleted.
Applicability of CPA
The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado. The law, however, does not define the phrase “commercial products or services.” The revised draft rules now define this to mean “a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a Controller’s business, vocation, or occupation.”
Publicly Available Information
The original definition of “publicly available information” stated that it does not include “inferences made exclusively from multiple independent sources of publicly available information.” This phrase was removed in the revised draft rules. The Office also added the word “inextricably” to another carveout provision such that publicly available information now does not include “Publicly Available Information that has been inextricably combined with non-publicly available Personal Data.” These changes broaden the types of information that can be considered publicly available information and, thus, not subject to the CPA.
The CPA does not apply to data maintained for employment records purposes; however, the law does not define what constitutes “employment records.” The revised draft rules fill in this gap by defining “employment records” as “records of an Employee, in the manner maintained by the Employer in the context of the Employer-Employee relationship and using reasonable efforts by the Employer to collect, having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the Employer-Employee relationship.” The revised draft rules also provide definitions of “Employee” and “Employer.” The Office’s comments indicate that it based these definitions on definitions contained in the Colorado Wage Act.