Keypoint: The draft CPA rules retain the hallmarks of what makes the CPA rules unique but contain some notable revisions and clarifications.
On Friday, January 27, 2023, the Colorado Attorney General’s Office published the third draft Colorado Privacy Act (CPA) rules. The Office previously published initial draft rules in October and revised rules in December. The Office published these revised rules shortly before its formal rulemaking hearing scheduled for February 1, 2023. The Office also extended the time for written comments until February 3, 2023.
In the below post we provide a high-level summary of some of the more notable changes to the draft rules in this latest revision.
Changes to Privacy Notice Requirements
The Office continued to revise the privacy notice requirements, in particular, the requirements regarding when controllers must notify consumers of changes to a privacy notice.
First, the Office removed the requirement that controllers must notify consumers of “substantive” changes. The remaining text states that controllers must notify consumers of “material” changes.
Second, the Office revised one of the examples of what constitutes a material change. Controllers will now have to notify consumers if there is a change to the categories of affiliates, processors or third parties with whom personal data is shared. The prior draft said that controllers needed to notify consumers if there was a change to the identity of the affiliate, processor, or third parties, even though the privacy notice requirements themselves did not require that level of disclosure.
Refinement of Definition of What is Not Publicly Available Information
The Office continued to revise its definition of what does not constitute publicly available information. By way of background, the CPA states that “personal data” does not include “publicly available information,” which it defines as “information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
In the initial draft rules, the Office listed the following six categories of information that are not publicly available information:
1. Any Personal Data obtained or processed in in violation of C.R.S. §§ 18-7-107 or 18-7-801.
2. Inferences made exclusively from multiple independent sources of publicly available information;
3. Biometric Data;
4. Genetic Information;
5. Publicly Available Information that has been inextricably combined with non-publicly available Personal Data; or
6. Nonconsensual Intimate Images known to the Controller.
In the second draft rules, the Office deleted the second category: “Inferences made exclusively from multiple independent sources of publicly available information.”
In this set of draft rules, the Office deleted the fifth category: “Publicly Available Information that has been inextricably combined with non-publicly-available Personal Data.”
Organizations such as the Software and Information Industry Association (SIIA) had argued for the deletion of that category because it “would create additional compliance obligations for companies, undermine the interstate interoperability of consumer privacy laws, and violate the First Amendment.”
Revisions to Opt-Out Requirements
Controllers will no longer need to process opt out requests within 15 days and instead will need to process them “without undue delay” and “taking into account the size and complexity of the Controller’s business and burden of operationalizing the opt-out.”
The rules also now will require controllers to provide a clear and conspicuous method for consumers to exercise their right to opt out of profiling “at or before the time such processing occurs.” By way of background, the CPA only requires controllers to provide a clear and conspicuous method for the opt out of sales and targeted advertising. See C.R.S. § 6-1-1306(1)(a)(III) (“A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data . . . .”).
Changes to Right to Access
The Office clarified that a consumer’s right to obtain specific pieces of personal data includes the right to obtain marketing profiles.
Changes to Right to Correction
The Office removed the language stating that controllers must implement reasonable measures to ensure that personal data remains corrected.
Changes to Right to Deletion
The Office removed the requirement that controllers must notify processors and affiliates to delete the consumer’s personal data obtained from the controller.
The Office also modified the exemption in Rule 4.06E. That exemption states that if a controller has obtained personal data about a consumer from a source other than the consumer, it can comply with a deletion request by either (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the consumer’s records and not using such retained data for any other purpose or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6-1-1304.
This exemption is intended to address entities that consistently ingest consumer personal data from third party sources and therefore struggle with operationalizing deletion requests. However, some are concerned that the second option swallows the rule. Therefore, the Office limited that option by adding new language stating: “If a Controller complies with a deletion request by opting the Consumer out of Processing under 4.06(E), and does not opt the Consumer out of some Processing of Personal Data because the Processing purpose is exempted pursuant to the provisions of C.R.S. § 6-1-1304, the Controller shall provide the Consumer with the categories of Personal Data that were not deleted along with the applicable exception, and shall not use the Consumer’s Personal Data retained for any other purpose than provided for by the applicable exception.”
Changes to Authentication Requirements
The rules no longer require controllers to “establish, document and comply with” a reasonable method for authenticating the identity of consumers. Instead, controllers are required to “use commercially reasonable methods” to authenticate. The rules also now state that, when determining whether an authentication method is commercially reasonable, controllers must consider the “cost of authentication to the Controller” in addition to the other factors.
Universal Opt-Out Mechanism
The Office made two important additions to this section.
First, the Office revised the UOOM notice requirement to create better interoperability with other state privacy laws. The Office did this by stating that the notice requirement does not need to refer to “any other specific provisions of these rules or the Colorado Privacy Act.” The Office also explained that it is sufficient for the notice to state that the UOOM allows consumers to exercise “any and all opt-out rights available to you under state laws” or “the right to opt out of the sharing of personal data.”
Second, the rules now state that a platform, developer, or provider that provides a UOOM is not obligated to authenticate that a user is a Colorado resident but “may provide such authentication capabilities if it chooses.”
The Office continued to flesh out how loyalty programs will be treated under the CPA. For example, the Office introduced a new term “Bona Fide Loyalty Program Partner,” which it defines as a third party that provides bona fide loyalty program benefits to consumers through a controller’s bona fide loyalty program, either alone or in partnership with the controller. The Office also revised the disclosure obligations associated with loyalty programs. Finally, the Office added three more helpful illustrative examples of how bona fide loyalty programs must operate in various situations.
Consent for Children
The Office removed the requirement from Rule 7.06 that controllers verify a consumer’s age under certain conditions. Specifically, the Office deleted the sentence: “If a controller operates a website or business directed to Children or has actual knowledge that it is collecting or maintaining Personal Data from a Child, the Controller shall take commercially reasonable steps to verify a Consumer’s age before Processing that Consumer’s Personal Data.”