On December 21, 2022, Colorado’s Office of the Attorney General (“Colorado AG”) published an updated version of the draft Colorado Privacy Act (“CPA”) rules. Colorado Governor Jared Polis signed the CPA – the second comprehensive state privacy law after the California Consumer Privacy Act – into law back in July 2021. The Colorado Secretary of State made the initial proposed draft rules available on the Colorado Register on October 10, 2022. Following a period of public input through December 2, 2022, the Colorado AG published this second version of the proposed CPA rules (“Version 2 Rules”) with redline changes based on the feedback received during that period.
In today’s blog post, we highlight some of the most notable changes.
New and Revised Definitions
The Version 2 Rules added new definitions to the Colorado Privacy Act for “commercial product or service,” “employee,” “employer,” “employment records,” and “noncommercial purpose,” while also removing the definition of “automated processing” and replacing it with revised definitions for “human involved automated processing” and “human-reviewed automated processing.”
“Biometric identifiers” now means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed for the purpose of uniquely identifying an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.
The Version 2 Rules struck “inferences made exclusively from multiple independent sources of publicly available information” from the list of data elements not considered to be Publicly Available Information.
Clarifications on Data Subject Rights
The Version 2 Rules added new language intended to clarify the contours of the CPA’s data subject rights.
For example, to enable a consumer to exercise the right to opt out, a controller must:
- Provide the privacy notice opt-out disclosures; and
- Provide a clear and conspicuous method for consumers to exercise the right to opt out of the processing of personal data, either directly or through a link, in a clear, conspicuous and readily accessible location outside the privacy notice.
The Version 2 Rules surrounding the right of access now include language urging controllers to avoid incomprehensive internal codes and to include explanations that would allow the average consumer to make an informed decision of whether to exercise deletion, correction, or opt-out rights.
Controllers and processors may also now delay compliance with a consumer’s correction request if they need to restore an archived or backup system in order to do so.
Additional Information on Universal Opt-Out Mechanisms
Under the Colorado Privacy Act, effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers to exercise the right to opt out through a user-selected universal opt-out mechanism (“UOOM”).
The Version 2 Rules change the date on which the Colorado Department of Law must publish an initial public list of standardized UOOMs from April 1, 2024, to January 1, 2024. Furthermore, the marketing for such UOOMs may also describe functionality other than the exercise of opt-out rights and need not refer specifically to opt-out rights in the State of Colorado.
Updated Privacy Notice Rules
The Version 2 Rules removed language from the CPA that focused privacy notice drafting around each processing purpose. The Colorado AG is also specifically seeking comment on how else the draft CPA rules can be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification and secondary use requirements.
Also new in the Version 2 Rules is additional information pertaining to a controller’s requirement to notify consumers of substantive or material changes to a privacy notice. Substantive or material changes may include, but are not limited to, changes to:
- Categories of personal data processed;
- Processing purposes;
- A controller’s identity;
- The act of sharing of personal data with third parties;
- The identity of affiliates, processors, or third parties that personal data is shared with; or
- The methods by which consumers can exercise their data rights request.
Under the Version 2 Rules, controllers must refresh consent if a consumer has not interacted with the controller in the prior twelve (12) months and the controller is processing sensitive data or processing personal data for a secondary use involving profiling for a number of significant decisions (such as those related to housing, insurance and/or healthcare).
Changes and Additions to Data Protection Assessment Content
The Version 2 Rules makes several changes/additions to the types of information that a data protection assessment must, at a minimum, contain. These additions include a short summary of the processing activity, the categories of personal data to be processed, the context of the processing activity, the nature and operational elements of the processing activity, and the core purposes of the processing activity as well as other benefits that may flow to the controller, consumer, and other expected stakeholders.
The formal Colorado Privacy Act rulemaking hearing is scheduled for February 1, 2023. The CPA becomes effective on July 1, 2023.
Businesses subject to the Colorado Privacy Act should familiarize themselves with the content of the Version 2 Rules. While not finalized yet, they offer an indication of the areas of focus the Colorado AG is considering as well as what to expect come July.
Octillo continues to actively monitor updates to the privacy landscape as well as the impacts that new CPA rules will have on businesses. To learn more about the impact the CPA may have on your business, reach out to our team of highly skilled attorneys.
*Attorney advertising: prior results do not guarantee a similar outcome.