Colorado became the third state to pass comprehensive privacy legislation when it passed the Colorado Privacy Act (CPA) in May 2021. Mainly, the CPA requires businesses, nonprofits, and other organizations meeting certain threshold requirements to conform their information practices to comply with the CPA’s requirements and honor consumer’s requests to exercise their privacy rights with respect to their information.
The CPA gave the Colorado Department of Law (Department) authority to adopt rules interpreting the CPA’s requirements, and in October 2022 the Department released a first draft of proposed rules. On December 21, 2022, the Department published a revised draft to incorporate issues raised in public comments and the Department’s November hearings.
While the proposed regulations remain a step forward for consumer privacy protections, the revisions largely remove the more stringent requirements for covered entities included in the original draft. Here are some of the noteworthy amendments:
The definition of “Biometric Identifiers” has been narrowed to only apply to those identifiers processed for the purpose of uniquely identifying an individual, like to authenticate someone accessing a secure space or account. Now, Controllers can leverage this information for certain purposes, like developing AI tools for example, without needing to conform to the CPA’s restrictions.
The Department addressed confusion about how the CPA applicability thresholds and exclusions apply to certain Controllers by including definitions of “Commercial Product or Service” and “Noncommercial Purpose.” Notably, a Commercial Product or Service hinges on the exchange of “monetary or other valuable consideration,” which particularly helps clarify the CPA’s applicability to non-profits.
The Department modified the exclusions to the CPA’s definition of “Publicly Available Information;” removing “[i]nferences made exclusively from multiple independent sources of publicly available information” in favor of “Publicly Available Information that has been inextricably combined with non-publicly available Personal Data.” This edit may have been in effort to address some news outlets’ First Amendment concerns and will impact data brokers’ operations.
- Privacy Notice
The Department deleted the requirement that privacy notices be organized by the purpose for which information is collected. This greatly improves interoperability between the CPA’s and the California Consumer Privacy Act’s privacy notice requirements, so Controllers will not need to have multiple privacy policies if they prefer to address state-specific privacy rights through one policy.
In the limited circumstances where Controllers must obtain consumer consent, the initial draft rules stated that Controllers needed to reconfirm a consumer’s consent annually. Now, Controllers only need to do this where a consumer cannot readily change their consent preferences and the consumer has not interacted with the Controller in the past year. This considerably reduces the burden on Controllers that provide opportunities to revoke consent through readily available tools like account or device settings or a webform.
- Universal Opt-Out Mechanism (UOOM)
The Department removed technical criteria stating that a UOOM can “operate through a means other than by sending an opt-out signal, for example by maintaining a ‘do not sell’ list.” This revision may be in response to industry comments regarding the burden of consulting do not sell lists and highlighting the Federal Trade Commission’s reservations with respect to the security of such lists. However, the rules as drafted do not limit the Department from considering the merits of a do not sell list should a developer apply for Department approval at a later date.
The Department also revised the UOOM approval process to include more lead time for Controllers to recognize sanctioned UOOMs. This change will alleviate Controllers’ concerns over their abilities to timely honor these rapidly developing tools.
- Dark Patterns
The revised rules have removed many of the express prohibitions on the use of “Dark Patterns” included throughout the original draft. Remaining prohibitions on Dark Patterns only apply to obtaining Consent. These revisions more closely align the rules’ treatment of the prohibition of Dark Patterns to the CPA’s text. However, the Department can still bring enforcement actions against Controllers who engage in unfair or deceptive practices under the Consumer Protection Act’s broad application.
Accompanying the revised rules are several questions the Department has posed to the public, including how (and whether) opt-outs should apply to participation in loyalty programs and whether IP addresses should be used to authenticate a consumer’s Colorado residency. Inclusion of these questions indicates that the Department may be considering releasing another set of revisions before adopting a final version of the rules. The public can still submit written comments until the formal rulemaking hearing on February 1, but the Department suggests submitting comments before January 18 to give staff time to incorporate input.
Now is the perfect time to start planning your compliance program before the CPA goes into effect on July 1, 2023. Our experienced Privacy & Cybersecurity team at Michael Best is ready to assist you with designing your CPA-compliant privacy program or answer any questions you have. You can read our previous assessment of the first draft of the CPA rules here and check out our summary of the CPA here.