Colorado Releases Draft Proposal of State Privacy Act
Previously, we reported that the Colorado Attorney General (“AG”) issued pre-rulemaking considerations to assist regulated entities in understanding the requirements and application of the Colorado Privacy Act (“CPA” or “Act”), which will go into effect on July 1, 2023.
On September 30, 2022, the Colorado AG issued a proposed draft[1] of the CPA. The Colorado AG will be holding three virtual stakeholder meetings on November 10, 15, and 17, 2022 to gather feedback that will form the basis of the final rule.
Public comments are due by November 7, 2022. On February 1, 2023, the Colorado AG will be holding a public hearing at 10:00 am CST both in person and via video conference, where interested parties will be permitted to testify, as well as submit written comments through the CPA rulemaking comment portal.
After the February hearing, the Colorado AG will have 180 days to adopt a final draft of the CPA.
Proposed Draft
Consumer Disclosures
When a data controller issues a disclosure, the disclosure must be:
“Understandable and accessible” to a data controller’s “target audience” and take any “vulnerabilities or unique characteristics of the audience”— especially those occurring when the audience is a child — into consideration;
Reasonably accessible to consumers with a disability; and
Available in the languages, on all interfaces, and on all devices that the data controller uses to conduct its ordinary business.
Consumer Personal Data Rights
Consumers have the right to:
Opt-out of the processing of their personal data;
Access all “specific pieces” of personal data the data collector has collected and maintains;
Correct their personal data “across all data flows and repositories” and, in turn, a data controller must implement measures to ensure that the consumer’s personal data remains correct;
Have their personal data “permanently and completely” deleted from the data collector’s existing systems, as well as their archived or backup systems; and
Have a data controller transfer the consumer’s personal data that has been collected and maintained “through a secure method in a commonly used electronic format that enables the [c]onsumer to have complete access to and full enjoyment” of the personal data.
Universal Opt-Out Mechanism (“UOOM”)
Consumers may opt out of the processing of their personal data “for purposes of Targeted Advertising or the Sale of Personal Data” by utilizing a Universal Opt-Out Mechanism—a list of available and compliant mechanisms that will be provided by the state of Colorado. The purpose of the mechanism is to permit consumers to generally opt-out of the processing across all platforms without having to submit individual requests with each data controller.
Under the mechanism, consumers can elect to opt-out of this processing for “all purposes” or for “select purposes.” After a consumer’s election has been made, the mechanism will communicate the consumer’s preference selection with all data processors in the state by sending an “opt-out signal” or adding the consumer to a publicly maintained list of consumers who have made similar decision.
In turn, data controllers will access only the consumer information necessary to confirm that the consumer is a citizen of Colorado and that the opt-out request is legitimate. The data controllers may not, however, request a consumer to login or authenticate the consumer’s request in any manner.
Controller Duties
Controllers must provide consumers with a compliant privacy notice that provides “a meaningful understanding and accurate expectations of how their Personal Data will be Processed” and notifies them of their rights under the Act.
Additionally, upon the occurrence of changes to these privacy notices, data controllers must notify consumers of any “substantive or material” changes, including but not limited to, changes to:
categories of the personal data being processed;
the purpose for engaging in processing;
the identity of the Controller; and
guidance on how a consumer may exercise their rights under the Act.
A data controller may, however, offer consumers “Bona Fide Loyalty Program Benefits” based on a consumer’s voluntary and continued participation in these programs—which requires consumer consent to the processing of their personal data. However, once participation has ceased, the data controller must delete the consumer’s personal data.
In collecting a consumer's personal data, the data controller must provide the consumer with the “express purposes” for collecting and processing their personal data. Additionally, the data controller must practice “data minimization” by collecting only that data which “is reasonably necessary for the specified purpose.”
Where the consumer’s personal data meets the definition of “sensitive data” under the Act, controllers are required to obtain consent from the consumer to engage in the collection or processing of this data.
Consent
A data controller must obtain a consumer’s consent to:
process “sensitive data”;
process personal data of a consumer who is a known child;
sell a consumer’s personal data;
process a consumer's personal data for targeted advertising or profiling purposes; and
process a consumer's personal data that is incompatible with the data controller’s originally specified purpose for doing do.
Additionally, data controllers must comply with the various requirements for obtaining a consumer’s consent under the CPA.
Data Protection Assessments
A data controller, including its internal team and any relevant and necessary external parties, is required to conduct a data protection assessment (“DPA”) which
identifies the “heightened risks” posed to a consumer by processing certain information;
outlines the measures considered and taken to address or offset the identified risks;
addresses the data controller’s perceived benefit of engaging in processing this information; and
demonstrates that the identified benefits of the processing outweighs the risks it presents.
The data processor must conduct a DPA prior to initiating the data processing activity that presents a “heightened risk” to the consumer.
Profiling
When engaging in the review or monitoring of a consumer’s information (“profiling”) for the benefit of their operations, data controllers must issue a compliant notice to consumers of the purpose of such processing, inform the consumer of their rights under the CPA, and act in accordance with consumers’ opt-out preferences, if selected.
[1] https://coag.gov/app/uploads/2022/10/CPA_Final-Draft-Rules-9.29.22.pdf