Add a bookmark to get started

28 December 202211 minute read

Colorado Privacy Act revised draft rules released

Colorado amends proposed regulations for implementing comprehensive consumer privacy law

On December 21, 2022, the Colorado Attorney General (the AG) and Colorado Department of Law (the Department) published revised draft Colorado Privacy Act (CPA) rules. Following the publication of initial draft CPA rules on October 10, 2022, these revised draft rules seek to address concerns expressed through a series of stakeholder sessions in November and public input received through December 2, 2022.

Like the European Union’s General Data Protection Regulation and the California Privacy Rights Act (CPRA), the initial CPA draft rules emphasized data transparency and user control. They would give consumers rights over their personal data, including the ability to access, correct or delete personal information held by an entity and opt out of having their personal data sold or used for targeted advertising or profiling. Entities that collect personal data would be required to give consumers a clear way to exercise these new data rights and to stop using a consumer’s personal data within 15 days of the consumer’s opt-out request.

In addition, the initial draft rules would impose specific requirements for privacy disclosures, data security and internal assessments of personal data processing.

Key changes

Notable changes in the revised draft CPA rules include the following:

1.  Personal data rights

a.  Right of access

The revised draft rules explain that an access request for specific pieces of personal data “includes final profiling decisions, inferences, derivative data, and other personal data created by the controller which is linked or reasonably linkable to an identified or identifiable individual.”

b.  Right to correction

The right to correction no longer covers an archive or backup system until such system “is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.” Moreover, if a controller denies a consumer’s correction request based on the determination that the contested personal data is likely accurate, then it must provide the consumer a written explanation of its decision.

In addition, rather than instruct processors to correct inaccurate personal data, a controller must now “use the technical and organizational measures or process established” by its processors to make the necessary corrections.

c.  Right to deletion

Similarly, a controller must “use the technical and organizational measures or process established by its processors” to comply with a consumer’s deletion request. If a controller denies a deletion request based on an exception under the CPA, it no longer needs to provide the consumer with “a list” of personal data that was not deleted but rather must provide “the categories” of personal data that were not deleted.

d.  Right to opt out

The initial draft rules required a controller to provide an opt-out method either directly or through a link in its privacy notice as well as in a readily accessible location outside its privacy notice. Under the revised draft rules, a controller no longer needs to provide an opt-out method in its privacy notice or to make such method available to consumers at or before the time the personal data is processed for opt-out purposes.

2.  Universal opt-out mechanism

The revised draft rules shortened the deadline for the Department to publish its initial public list of universal opt-out mechanisms (UOOMs) from April 1, 2024 to January 1, 2024 (ie, six months before the July 1, 2024 deadline for controllers to recognize UOOMs). They also remove the provision allowing UOOMs to operate through a means other than by sending an opt-out signal (eg, by maintaining a “do not sell” list).

3.  Controller obligations

a.  Privacy notices

The initial draft rules required a controller to describe each processing purpose and provide specific disclosures regarding that purpose, including (i) the categories of personal data processed, (ii) the categories of personal data that the controller sells to or shares with third parties and (iii) the categories of third parties to whom the controller sells, or with whom the controller shares personal data.

The revised draft rules no longer require that privacy notices be purpose-based. According to the accompanying comments from the AG and the Department, the requirement was removed in consideration of public feedback that it would be burdensome and not interoperable with California privacy notice requirements.

The accompanying comments also invite targeted public feedback on two issues:

  • How the revised draft rules can be made interoperable with California’s privacy notice requirements (while still considering the CPA’s purpose specification and secondary use requirements, and ensuring that consumers have a meaningful understanding of the way their personal data will be used) and
  • How a controller intends to draft privacy notices to cover both laws (including whether it will use separate Colorado and California notices, update California notices with Colorado or other state requirements, or revise its main privacy notice to meet Colorado and other non-California state requirements).

While a controller is still required to notify consumers of substantive or material changes to its privacy notice, it no longer needs to provide the notice 15 calendar days before a change goes into effect.

b.  Consent

The revised draft rules reflect changes to the requirements for obtaining (i) refreshed consent, (ii) retroactive consent, (iii) consent to process sensitive data inferences and (iv) consent through the use of dark patterns.

First, whereas the initial draft rules required a controller to refresh consent for processing sensitive data on an annual basis, the revised draft rules limit the need to do so to instances in which a consumer has not interacted with the controller in the prior 12 months. In addition, when consumers have the ability to update their opt-out preferences at any time through a user-controlled interface, the controller is not required to refresh consent.

While a controller no longer needs to obtain consent to process biometric identifiers or any personal data generated from a digital or physical photograph or an audio or video recording each year after the first year it is stored, the revised draft rules still require the controller to review such information at least annually to determine if storage is necessary, adequate or relevant to the express processing purpose for which it was collected, and to document that review in a written assessment. To qualify as a biometric identifier, generated data related to an individual’s biological, physical or behavioral characteristics must now be such that it can be processed for the purpose of “uniquely” identifying an individual.

Second, regarding retroactive consent, the revised draft rules change the date by which a controller needs to obtain consent to continue processing sensitive data – from January 1, 2023 to January 1, 2024. They also clarify that the requirement applies to the other instances in which the CPA requires consent (ie, for processing personal data for secondary purposes and circumventing an opt-out choice).

Third, as a general rule, a controller is still required to obtain consent to process sensitive data inferences.[1] The rule does not apply, however, if (i) the consumer is over the age of 13 and (ii) the controller, among other things, deletes such sensitive data inferences within a certain time period. The revised draft rules extend that period from 12 to 24 hours.

c.  Data protection assessments

The revised draft rules maintain the requirement for a controller to engage in an extensive analysis when conducting a data protection assessment. Whereas the initial draft rules identified 18 topics for a controller to consider in preparing that assessment, the revised draft rules now list only 13 topics.

d.  Dark patterns

The revised draft rules make clear that the prohibition on dark patterns applies when a controller is obtaining consumer consent. The prohibition does not apply generally to all user interfaces.

4.  Definitions

The revised draft rules also clarify a number of important definitions:

a.  Commercial products or services

While the CPA applies to a controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, the law does not include a definition of “commercial products or services.” Under the revised draft rules, “commercial products or services” are now defined as “a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a Controller’s business, vocation, or occupation.”

b.  Employment records

The CPA does not apply to data maintained for employment records purposes. The revised draft rules now define “employment records” to mean the “records of an employee, in the manner maintained by the employer in the context of the employer-employee relationship and using reasonable efforts by the employer to collect, having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the employer-employee relationship.”

Consistent with the definitions in the Colorado Wage Act, the revised draft rules also define the terms “employee” and “employer”:

  • Employee” means any person, including a migratory laborer, performing labor or services for the benefit of an employer. Relevant factors in determining whether a person is an employee include the degree of control the employer may or does exercise over the person and the degree to which the person performs work that is the primary work of the employer; except that an individual primarily free from control and direction in the performance of the service, both under his or her contract for the performance of service and in fact, and who is customarily engaged in an independent trade, occupation, profession, or business related to the service performed is not an “employee.”
  • “Employer” means every person, entity, firm, partnership, association, corporation, migratory field labor contractor or crew leader, receiver, or other officer of court in Colorado, and any agent or officer thereof, of the abovementioned classes, employing any person in Colorado.

Publicly available information

The revised draft rules broaden the types of information that can be considered publicly available information not subject to the CPA. “Publicly available information” no longer includes (i) “inferences made exclusively from multiple independent sources of publicly available information,” or (ii) “publicly available information that has been inextricably combined with non-publicly available Personal Data.”

Next steps

The CPA goes into effect on July 1, 2023. As with the CPRA, complete compliance with the CPA is not possible until the law’s implementing regulations are finalized in 2023.

The revised draft CPA rules are subject to further changes and modifications before and after a formal CPA rulemaking hearing scheduled for February 1, 2023. The AG has invited interested and affected parties to provide oral comment on the revised draft rules at the hearing. Members of the public can also provide written input through the comment portal and are encouraged to submit such written comments by January 18, 2023 for consideration at the hearing.

If you have questions or need additional information, please contact the authors or your DLA Piper relationship attorney.

[1] Sensitive data inferences are inferences made by a controller based on personal data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.