Colorado AG Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
On April 12, 2022, the Colorado Attorney General (“AG”) issued pre-rulemaking considerations to assist regulated entities in understanding the requirements and application of the Colorado Privacy Act (“CPA”), which will go into effect on July 1, 2023.
The Office of the Colorado Attorney General (the “Office”) outlined the following key guiding principles the utilize in the implementation of the CPA:
Promote Consumer Rights –the CPA permits consumers to understand the CPA and their ability to exercise rights granted to them under the CPA.
Clarify Ambiguities – the CPA clarifies the compliance requirements and minimizes unnecessary disputes.
Facilitate Efficient and Expeditious Compliance – the CPA assists controllers and processors in compliance with the law by establishing simple processes for consumers, entities, and enforcement agencies.
Harmonize – the CPA facilitates interoperability, such that competing protections and obligations created by state, national, and international frameworks applying to covered entities.
Allow for Innovation – the CPA does not “unduly burden” covered entities from “developing creative, adaptive solutions to address challenges presented by advances in technology.”
To advance these principles, the AG's office has prompted covered entities and affected parties to engage in an informal, pre-rulemaking feedback process on the following topics:
Universal Opt-Out – How should the AG's office act to engage with the CPA’s requirement to “adopt rules that detail the technical specification for” universal opt-out mechanisms (“UOOMs”)?
Specifically, which protocols should be implemented, which considerations should be made for the different systems that may serve as UOOMs, and what type of mechanisms should the CPA utilize to verify the residency of consumers seeking to opt-out of services.
Consent – How should the AG's office clarify typical questions regarding the CPA’s requirement for consumer consent to process their data?
Specifically, how should words like “clear, affirmative act” of consent and “informed consent” be defined? Additionally, what limits should be set as to how the controller may request updated consumer consent following a consumer’s election to “opt-out” of a service?
Dark Patterns – What specific types of prohibited dark patterns should be included in the CPA and what research can be utilized to identify the impact on consumers of specific dark patterns or design choices?
"Dark patterns" are user interfaces that are designed or utilized to subvert or impair “user autonomy, decision-making, or choice.”
Data Protection Assessments – What control should the AG's office have over the CPA-required data protection assessments (“DPA”) that must be conducted by data controllers? Specifically, should the AG's office be able to establish requirements for the “form and content” of the DPA? Additionally, should the AG's office be permitted to request the DPAs be turned in to it? If yes, are there any limitations or parameters surrounding this ability?
Profiling and “Legal or Similarly Significant Effects” – How can the AG's office act to “meaningfully allow consumers to understand the automated processing of their personal data”? Are there any “individual legal or civil rights concerns regarding automated profiling [that] should be specifically addressed in the rules[?]”
Opinion Letters and Interpretive Guidance – What type of interpretive guidance should the CPA include and what should the process be for obtaining guidance?
Offline and Off-Web Collection of Data – How should the CPA apply to the forms of “offline” data collection, such as “filling out rental forms, signing petitions on a sidewalk, or buying magazine subscriptions,” that may be later entered into a digital database?
Protecting Colorado Residents in a National and Global Economy – How should the CPA be harmonized with other laws? Are there any laws in other jurisdictions that should be considered in establishing CPA rulemaking?