October 4, 2022
Colorado AG Releases Draft Regulations for Public Comment
9 Min Read
On September 30, 2022, the Colorado Attorney General (AG) Phil Weiser released draft regulations under the Colorado Privacy Act (CPA) for public consultation.
Earlier this year, the Colorado AG published prepared remarks, coinciding with Data Privacy Day on the way forward for privacy and security in Colorado. The remarks were used as an opportunity to outline plans to begin the rulemaking process under the CPA and how this can correspond with data security best practices.
The draft rules are now out for public consultation. Remarks can be submitted via the comment portal available at www.coag.gov/cpa until February 1, 2023.
Rulemaking under the CPA
The AG’s remarks in January were focused on proposed rulemaking under the CPA as well as what can be expected and estimated timeframes for the process. Attention was drawn to several key areas that the rulemaking would center around. These included:
- Developing fair mechanisms for consumers to exercise their rights
- Combatting the use of dark patterns
- Empowering individuals with the ability to understand their data profiles
- Developing methods of correcting inaccurate data
- Auditing and risk assessment requirements
“When I reflected on the state of federal inaction on data privacy and security three years ago, I called the state of play a ‘second best solution.’ The first best solution, I explained, would be national leadership by Congress that empowers states to act withing [sic] a framework of cooperative federalism. We are not in that world, however, and we must move to adopt second best solutions, meaning that the responsible step to take is to support state leadership to protect consumers. The alternative, unfortunately, is no protection at all.” – Phil Weiser, Colorado Attorney General
Since the remarks published in January, the AG’s office has posted a series of topics seeking written comments from consumers, businesses, and other stakeholders. The results of the call for comments culminated in the notice of proposed rulemaking issued on September 30.
What do the draft CPA regulations contain?
The draft regulations are extensive. However, the main themes are largely similar to those found in the AG’s remarks made in January. Keep in mind, the regulations are only a draft at this stage and still have a lengthy consultation process to go through.
The draft regulations adds and clarifies several key definitions including sensitive data, biometric data, and universal opt-out mechanisms. They also include further information on areas such as consumer rights and how to respond to them, conditions for valid consent, and dark patterns.
Biometric data and biometric identifiers
Included within the new definitions introduced by the draft regulations, are the introduction of both biometric data and biometric identifiers.
The definition of biometric data refers to biometric identifiers as information that is used alone or in combination with other personal data for identification purposes. As a result, the draft regulations further define biometric identifiers as “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.”
There are some exceptions to the definition of biometric data, which does not include:
- Digital or physical photographs
- Audio or voice recording
- Any data generated from a digital or physical photograph or an audio or video recording
Further clarifying what information can be classified as sensitive data, the draft regulations include a new definition for Sensitive Data Inference(s).
This includes personal data that has been used by the data controller in combination with other data to make inferences that indicate information about an individual that would fall under the existing definition of sensitive data, e.g., racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.
Universal opt-out mechanisms
Similar to the Global Privacy Control (GPC), the draft regulations provide for the use of universal opt-out mechanisms to allow consumers to send a single opt-out to multiple controllers to exercise their right to opt-out of sale.
Under the draft regulations, a universal opt-out mechanism is defined as “mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for purposes of Targeted Advertising or the Sale of Personal Data OR which meets the technical specifications set forth pursuant to C.R.S. § 6-1-1313(2).”
An initial list of recognized universal opt-out mechanisms will be released no later than April 1, 2024, and will be updated periodically by the Colorado Department of Law.
To make clear the conditions for valid consent under the CPA, the draft regulations outline further detail on each of the conditions for valid consent.
Valid CPA consent must meet each of the following conditions:
- It must be obtained through the consumer’s clear, affirmative action
- It must be freely given by the consumer
- It must be specific
- It must be informed
- It must reflect the consumer’s unambiguous agreement
When asking for consent, the data controller must disclose the identity of the data controller, reasons for collecting consent, the processing that the consent is needed for, the categories of personal data involved, and a list of all parties who will have access to the personal data. Consumers must also be informed of their right to withdraw consent and details of how to withdraw consent.
Data protection assessments
Data protection assessments under the draft regulations aim to bring clarity to the scope of the assessments, stakeholder involvement, the contents of an assessment, and timings.
The draft regulations state that a “data protection assessment must be a genuine, thoughtful analysis that: 1) identifies and describes all risks posed by processing that presents a heightened risk of harm to a consumer 2) documents measures considered and taken to address and offset those risks 3) contemplates the benefits of the processing and 4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.”
Additionally, data controllers must consider the depth and scope of data protection assessments, and these should be proportionate to the size of the data controller. They should also be proportionate to volume and sensitivity of personal data and processing activities.
The draft regulations contain a list of the elements that must be included in a data protection assessment:
- The processing activity
- The specific purpose of the processing activity
- The specific types of personal data
- How the personal data is adequate, relevant, and limited to what is reasonably necessary
- Operational details for the processing
- Names and categories of personal data recipients, including third parties, affiliates, and processors
- The relationship between the data controller and the consumer
- The expectations of the consumer
- Procedural safeguards
- Alternative processing activities considered to achieve the same purpose
- The sources and nature of risks to individual consumers
- Measures and safeguards a data controller will put into place to mitigate risks
- The benefits of the processing that may flow to the data controller, consumer, and other expected stakeholders
- Internal actors and external parties contributing to the data protection assessment
- The data protection assessment review process, including whether any internal or external audit was conducted
Data controllers will need to perform the data protection assessment before starting the processing activity concerned. The assessment is required to be updated periodically as well as when existing processing activities are modified in a way that materially changes the level of risk presented.
Data protection assessments must be made available to the AG within 30 days of request.
Part 4 of the draft regulations focuses on clarifying the scope of consumer rights and the processes for fulfilling those rights. Under this section of the draft regulations, data controllers would be required to specify which methods are available for consumers to submit rights requests in their privacy notices. These intake methods would also need to meet specific specifications as outlined by the draft regulations. Such specifications include considering the ways that consumers would normally interact with the data controller, the reasonable security measures used, and identity authentication requirements.
There is also clarification over the application of the Right to Opt-out, Right of Access, Right to Correction, Right to Deletion, and the Right to Data Portability.
- Right to Opt-Out – Data controllers will be required to maintain records of opt-outs and provide a conspicuous opt-out method that meets certain conditions specified by the draft regulations
- Right of Access – Further clarity has been added to how data controllers must provide information to consumers. This includes using the language that the consumer interacts with the data controller, considering the target audience, and allowing consumers to make an informed decision regarding their other consumer rights
- Right to Correction – Data controllers will be required to make sure corrections to personal information remain corrected and that requests are made accessible to the consumer through their account settings
- Right to Deletion – Among other things, data controllers must permanently erase personal data from existing systems, except archive or backup systems, or de-identify personal data and inform data processors to delete the consumer’s personal data
- Right to Data Portability – Requests should be fulfilled through “a secure method in a commonly used electronic format.” Data controllers would not be required to fulfill requests that would disclose trade secrets.
Data controllers will also have a clearer understanding of the scenarios in which they can refuse to fulfill a consumer rights request. Lawful reasons would include conflict with other laws, if fulfilling the request is impossible, or if there is a belief that a request is fraudulent or abusive, among other things.
Regarding Dark Patterns, the draft regulations clearly prohibit the use of these interfaces, as defined by the CPA, and deems any consent acquired through the use of Dark Patterns as invalid.
It should also be noted that the commonality of any interface is not enough for it to not be considered a Dark Pattern and data controllers can consider guidance from other jurisdictions relating to Dark Patterns when evaluating the appropriateness of their proposed choice architecture or system design.
What will this mean for organizations?
In the short term, organizations should remain on top of developments in Colorado to understand how their privacy programs may need to be adapted to comply with final regulations. Three virtual stakeholder meetings are planned to discuss the draft regulations and the public comment period will be open until February 2023.
However, once final regulations are issued organizations may have significant changes that they will need to make to their privacy programs including the correct classification of personal data, ensuring consent is valid, not collected through the use of Dark Patterns, and documented accordingly, and data protection assessments have been completed. These draft regulations recognize that certain provisions can be fulfilled through activities and processes designed to comply with similar laws in different jurisdictions.
Request a demo to see how the OneTrust Privacy & Data Governance Cloud can get you set up for compliance with the Colorado Privacy Act