by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Alessandra G. Masciandaro, and Ned Terrace
On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act.
This post addresses the timeline for COAG rulemaking and the current proposed rules relating to (1) new responsibilities for controllers related to consumer rights, (2) privacy notices, (3) universal opt-out mechanisms, (4) consent for processing sensitive data, (5) biometric data, (6) data minimization, (7) data protection assessments, and (8) profiling. Companies subject to ColoPA should review their practices to ensure compliance before ColoPA’s July 1, 2023 effective date.
Rulemaking Timeline and Hearing
The COAG has issued three iterations of its proposed rules on October 10, 2022, December 21, 2022, and January 27, 2023. On February 1, 2023, the COAG hosted a public hearing to provide an overview of its rulemaking process and the status of the rules. The COAG indicated that there could be further rulemaking for ColoPA and took public comments on the current proposed rules.
The COAG accepted written comments until February 3, 2023 and then closed the rulemaking record. The COAG has until July 31, 2023 to adopt the proposed rules, though it intends to finalize the rules before ColoPA takes effect.
(1) Facilitating Consumer Rights: Like other state privacy laws, ColoPA provides Colorado residents with the rights to access, correct, delete, and move personal data as well as the right to opt out from sales and targeted advertising. The proposed rules provide further details on several of these requirements:
- Broad Concept of “Publicly Available” Information. Under ColoPA, “publicly available” information is excluded from its definition of personal data. The COAG eliminated “inferences made exclusively from multiple independent sources of publicly available information” and “publicly available information that has been inextricably combined with non-publicly available personal data” from a list of data that were not to be considered publicly available in an earlier version of the proposed rules. This expands the scope of publicly available information.
- Right of Access. The information that a controller must provide in response to a consumer’s access request now includes marketing profiles. Neither ColoPA nor the proposed rules define “marketing profiles.”
- Denying Correction Requests. A controller can deny a consumer’s request to correct its personal data if the controller determines that the data that is the subject of the request is “more likely than not accurate.” Controllers must first request additional documentation from the consumer to attempt to verify the accuracy of the correction request before denying a correction request on this ground.
- No Third-Party Notice of Deletion Requests. When consumers submit deletion requests to a controller, that controller is not required to notify processors and affiliates.
- Requests to Delete Data Obtained from Third Parties. When a deletion request relates to personal data obtained from third parties, controllers can respond in one of two ways. First, a controller can comply with the request to delete the personal data and retain two items to ensure the request remains effectuated: (1) a record of the deletion request; and (2) the minimum data necessary to ensure the consumer’s data remains deleted. Second, a controller can forego deletion of some personal data and opt the consumer out of data processing for any purpose, except for those exempted by the ColoPA, such as processing personal data for certain research purposes. In this case, the controller must inform the consumer of the categories of personal data that were not deleted and the applicable exemption. The controller cannot use the consumer’s personal data for any purpose other than exempted purposes.
- Authentication Requirements. Controllers must “use commercially reasonable methods” to authenticate the identity of consumers or their agents. Factors that indicate “commercially reasonable methods” include the cost of authentication to the controller, the personal data involved, and the possible harm that improper use or access could cause the consumer.
- Opt-Out Notices. The ColoPA provides consumers with the right to opt out of the processing of personal data for various purposes such as targeted advertising and the sale of personal data. The proposed rules simplify how businesses can comply with a consumer’s opt-out request. Controllers generally do not need to provide opt-out notices at or before the time a controller processes the consumer’s personal data, and there is no longer a 15-day deadline to comply with opt-out requests. Instead, the opt-out method must be clear, conspicuous, and readily accessible in an obvious location of a website or application. For profiling that results in significant effects, however, such as denial of financial services, housing, or employment opportunities, controllers must provide an opt-out notice at or before the time of such processing. Controllers must comply with opt-out requests “as soon as feasibly possible and without undue delay” and by “taking into account the size and complexity of the Controller’s businesses and burden of operationalizing the opt-out.” When a consumer submits an opt-out request in conjunction with other data rights requests, controllers must prioritize compliance with the opt-out request.
(2) Privacy Notices: In its latest iteration of the proposed rules, the COAG revised the requirements for privacy notices. Controllers must provide privacy notices to consumers that, among other things, allow consumers to submit requests to exercise their data rights at any time. Additional points on privacy notices include:
- Interoperability. Controllers do not have to use Colorado-specific privacy notices; they can adapt existing privacy notices that are used to comply with California’s privacy notice requirements. Privacy notices need not be “purpose-based,” as such privacy notices would not be interoperable with California’s privacy notice requirements. During the rulemaking hearing, the COAG’s office asked how else the proposed rules can be made interoperable with California’s privacy notice requirements. This signals a practical approach to rulemaking.
- Notification of Changes to Privacy Notices. Controllers do not need to notify consumers of substantive changes to a privacy notice. Rather, controllers must notify consumers of material changes to a privacy notice.
(3) Universal Opt Out: Under ColoPA, consumers may use a Universal Opt-Out Mechanism (“UOOM”) to signal their desire to opt-out of the processing of personal data for targeted advertising and sale. The proposed rules require businesses to recognize a consumer’s UOOM signal and opt the consumer out of data processing as indicated by the UOOM. Controllers may, but are not required to, verify that a UOOM request is sent from a Colorado resident. When the scope of the UOOM request is unclear, controllers may decide which opt-out rights are relevant based on the request and only opt the consumer out of those rights. The proposed rules present a revised timeline for companies’ compliance with the UOOM, provide specifics around the prohibition on default settings, advise on authentication requirements, and further build out interoperability mechanisms.
- Timeline. When ColoPA takes effect, companies will be permitted, but not required, to honor a consumer’s “signal” for a year. ColoPA requires controllers to respond to such opt-out signals beginning on July 1, 2024. The proposed rules require the COAG’s office to maintain a public list of recognized UOOMs. This list will be published no later than January 1, 2024. Controllers will have six months to begin to recognize a UOOM that is added to the public list.
- No Default Settings. Under ColoPA’s rulemaking mandate, the COAG must establish rules that disallow mechanisms that provide a “default setting” of opting out. Instead, controllers must employ opt-out mechanisms that reflect the “consumer’s affirmative, freely given, and unambiguous choice to opt out” of data processing. The proposed rules provide that a browser that sends a UOOM signal by default, without asking the consumer to enable the setting, nullifies the consumer’s choice; therefore, it does not comply with ColoPA. On the other hand, the proposed rules provide that a browser or app that asks the consumer specifically and clearly if it wants to send a UOOM signal without any pre-selected choices shows the user’s unambiguous choice to opt out or not. The proposed rules also recognize a consumer’s decision to use a privacy tool marketed to exercise a user’s right to opt out as the consumer’s unambiguous choice. Such a privacy tool is a valid UOOM.
- Authenticating Users. Platforms, developers, or providers that offer a UOOM are permitted to authenticate that a user is a Colorado resident, but this is not required. Likewise, controllers are allowed to authenticate that the user signaling a desire to opt-out is a Colorado resident, but this is not required.
- Interoperability. UOOMs, themselves, need not be specifically tailored to ColoPA. The proposed rules seek to accommodate UOOMs that are interoperable between Colorado and other states.
(4) Consent: Controllers must obtain a consumer’s consent to process “sensitive data.” Sensitive data includes a range of data that reveals personal characteristics, children’s data, and biometric data. Such consent must be given freely as a clear, affirmative act. Dark patterns are forbidden. The proposed rules contain important guidance on requirements for controllers to refresh consent and retroactively gain consent for ongoing data processing:
- Freely Given Consent. Companies may not deny consumers goods, services, discounts, or other products if they refuse to consent to processing their sensitive data unless one of two conditions is met: (1) the sensitive data is necessary to providing the goods, services, discounts, or other products at issue; or (2) consent is required in connection with a business loyalty program. Additionally, consumers must be able to withdraw consent at any given time. We recently noted this provision echoes similar consent requirements in the General Data Protection Regulation (“GDPR”).
- Dark Patterns Forbidden. We’ve previously discussed dark patterns and how they may manipulate a user’s behavior and undermine the user’s choice, leading the user to do something that the user did not expect or desire. ColoPA’s proposed rules highlight asymmetrical patterns that, if used, would nullify a consumer’s consent. For example, the proposed rules provide that a user interface in which the “I accept” button is a larger size than the “I do not accept” button, or the “I do not accept” button is a greyed-out color while the “I accept” button is presented in a brighter, more prominent color, would vitiate consent and violate ColoPA.
- Consent for Children. The proposed rules expand the requirement for controllers to obtain a parent’s or guardian’s consent before collecting or processing a child’s data. Parental consent is now required when a controller operates a website or business directed at children or when the controller has actual knowledge that it is collecting or maintaining a child’s personal data. However, the proposed rules no longer obligate such controllers to verify a consumer’s age before processing their personal data.
- Refreshing Consent. The proposed rules require controllers to refresh consent from a consumer when (1) the consumer has not interacted with the controller in the prior 12 months, and (2) the controller is either processing sensitive data or processing personal data for a secondary use that involves profiling.
(5) Biometric Data Defined: ColoPA does not define biometric data, but the proposed rules define it to mean biometric identifiers produced from a person’s biological, physical, or behavioral characteristics intended to be used for identification purposes. The proposed rules clarify that the “biometric identifiers” definition refers only to data that can be processed for the purpose of uniquely identifying an individual.
(6) Data Minimization: We have previously written about regulatory enforcement around data minimization and how some companies should consider reducing the amount of data they collect and store to reduce cyber and privacy risks. The proposed rules require that companies (1) determine and document the minimum personal data necessary for a given purpose and (2) establish specific time limits for data retention or conduct periodic reviews to identify data that should be deleted. Additionally, the proposed rules prescribe a minimum annual review of biometric data to determine if retaining it is necessary to fulfill the purpose for which that data was collected.
(7) Data Protection Assessments: ColoPA requires companies that process consumer data in a manner that presents a heightened risk of harm to consumers to conduct a data protection assessment (“DPA”). The proposed rules shed light on how often data controllers should conduct such assessments and what content controllers should include in their assessments:
- DPA Frequency. The proposed rules state that controllers must review and update their DPAs periodically during a processing activity. If a company is processing data for profiling in furtherance of decisions that produce legal or similarly significant effects, it must review and update those assessments at least annually.
- DPA Content. The proposed rules prescribe 13 items that controllers must include in their DPAs. Among these items are the requirements (1) to describe the sources and nature of risks to individual consumers, as well as broader consumer groups, based on the activity, and (2) to detail the measures and safeguards that the controller will employ to mitigate risks.
- Reliance on Prior DPAs. A controller may rely on a DPA completed for another jurisdiction if it is similar in scope and effect to ColoPA’s DPA requirements. Controllers may submit a DPA conducted for another jurisdiction along with a supplement that covers any Colorado requirements that were not present in the prior DPA.
(8) Profiling: The proposed rules establish up-front requirements for companies that wish to process customer data for profiling. “Profiling” is defined as “any form of automated processing of personal data” used to evaluate an individual’s personal economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. For example, a controller that processes personal data for profiling in furtherance of a decision that results in the denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services must make specific disclosures in its privacy notice. Such disclosures must include, among other things, what decision is subject to profiling, a plain-language explanation of the logic used in the profiling, and how profiling is used in the decision-making process. Before a controller can process data for profiling, it must conduct and document a DPA. DPAs for profiling are more detailed than the standard DPAs described above, as they must also include details on the decisions made using profiling and how the profiling system will use consumer data.
Key Takeaways on Colorado Privacy Act Rulemaking:
- Businesses should prepare to respond to a consumer’s universal opt-out signal by July 1, 2024 including those that will be named in the COAG’s forthcoming list of recognized UOOMs.
- Processing sensitive data under ColoPA requires consumer consent with few exceptions. Businesses should consider reviewing their user consent interfaces to ensure they do not employ dark patterns.
- Businesses that may process biometric data should become familiar with the COAG’s proposed definition as well as the associated requirements for consent and data retention.
- Companies planning to process data for profiling should consider how to address additional transparency requirements and other restrictions.
Avi Gesser is a partner, Johanna Skrzypczyk is counsel, Michael R. Roberts and Alessandra G. Masciandaro are associates, and Ned Terrace is a law clerk at Debevoise & Plimpton LLP. This post originally appeared in the firm’s Data Blog.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.