I had hoped to cover this a few days ago, but it wasn’t until recently I was able to verify the release of the draft regulations by the State of Colorado, as their notification regarding the release and update to rulemaking information was causing their website to error. With that being said, I am happy to finally highlight some of the key areas I think are worth paying attention to. These proposed regulations further define what is required by the Colorado Privacy Act, and will start affecting businesses, if adopted, in July, 2023.
Note: I am not a lawyer, this is not legal advice, and these regulations are in draft and are subject to change, so anything that follows may not apply to the final text. This list is also not exhaustive, and you are strongly encouraged to review with legal counsel at the earliest convivence given the expected timelines for enforcement.
Key Terms
The regulations define a lot of terms – some of the highlights which will warrant consideration are as follows:
Biometric Identifiers: means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.
That definition is very broad, and if it stands I have to question if something like web browser data could qualify legally as biometric data since it could in theory be claimed to record behavioral patterns over a series of time.
The regulations also break out and define terms such as Public Information, which provides a possible interesting interplay with how data collection works, specifically the second definition is worth considering.
Personal Data that has been intentionally made available by the Consumer through a website or online service where the Consumer has not restricted the information to a specific audience.
Which means, that information that someone shares, such as through say – LinkedIn, would be considered Public Information under the Colorado Draft.
The regulations go on to define Intimate Image, which are not limited as extensively as one may first consider, as that definition also includes a clause around religious beliefs.
A part of the body that, if revealed publicly, the subject would find sensitive or offensive based on their religious beliefs
There’s also definitions around Sensitive Data Inferences, which cover not only the normal religious, health, and sex data – but also may include web browsing data which alone or in combination with other personal data creates a profile that indicates an individual’s sexual orientation.
Consumer Disclosures
Like California, Colorado wants all disclosures to be accessible, and must follow the Web Content Accessibility Guidelines, version 2.1. Further, like other data protection law the disclosures must use clear and plain language. Colorado also wants to ensure however, that these disclosures work on smaller screens and mobile applications and specifically call those items out in the regulations.
Right to Opt-Out
Notably under the regulations for opt-out – the time to respond to requests is as soon as possible, but no later than 15 days. Affected organizations are also recorded to keep a record of the opt-out request and response.
If a link is used for opt-out, then Colorado wants specific language used (which is different than that being proposed for the State of California) using terms such as “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” or “Your Opt-Out Rights.” Making all of this work without having a footer full of different state links will be an interesting challenge as rulemaking continues.
Universal Opt-Out Mechanism
Colorado is one of the states mandating the acceptance of a Opt-Out signal to be acknowledged to allow a consumer to opt-out of sale of their data. The draft regulations speak on this over several pages, and speak at length over default opt-out settings. The regulations speak to the difference in adopting a Operating System where the signal was enabled by default, or adopting a browser after install which has the signal engaged. The way the regulations are written – this means that there is some interplay on to if a opt-out signal is valid, under the terms of Rule 5.03B and on if it has to be acknowledged. This is one of the tricky areas I hope are addressed as rulemaking continues.
The regulations go on to limit the ability of an mechanism to apply unevenly across the board. A Opt-Out Mechanism has to treat every site equally to be acknowledged as valid under the regulations.
The Attorney General makes it clear a list of acceptable opt-out signals will be maintained by the State, with an initial draft being put into place no later than April 1st, 2024. Controllers will be bound by that list for enforcement action on July 1st, 2024.
Privacy Policy
Colorado is very prescriptive on it’s requirements for a Privacy Policy, and requires Controllers to provide notice of such a change at least 15 days before the change goes into effect. Further Controllers are bound by seeking Consent prior to using data in new ways in certain scenarios, even if the change is called out in the Privacy Notice update.
The proposed requirements are as follows, A privacy notice must include the following information:
- A comprehensive description of the Controller’s Personal Data Processing Practices. -Comprehensive has nearly a full page full of requirements. I advise discussing in detail with Legal Counsel.
- If the Controller’s processing involves Personal Data for the purpose of Profiling in furtherance of decisions that produce legal or similarly significant effects.
- A list of the Data Rights available
- A description of the methods through which a Consumer can submit requests to exercise Data Rights, including instructions on how to use each method, how identity is verified and an as of July 1st, 2024 an explanation of the Universal Opt-Out Mechanism(s).
- If the Controller will delete Sensitive Data Inferences within 12 hours pursuant to Rule 6.10, a list of Sensitive Data Inferences subject to this provision and a deletion timeline for said Sensitive Data Inferences.
- A Controller’s Contact Information
- Instructions for how a Consumer can appeal a Controller’s Actions in response to a Request.
- The date the privacy notice was last updated
Loyalty Programs
The regulations in Rule 6.05 talk about loyalty programs, and the rights / disclosures required. If you run a loyalty program you should definitely review this section in detail.
Data Minimization
The draft states that to ensure personal data is reasonably necessary for the purpose an assessment needs to be done according to Rule 6.11. Further, it states that personal data should only be kept in a form which allows for identification as long as is required for processing purposes. The Controller must set specific time limits for erasure or conduct a periodic review. Data which is no longer required, relevant or adequate should be deleted by the Controller and any Processors.
Biometric data specifically has a call out – forcing a review at least annually to determine if storage is still required for the express Processing purpose, and that consent is required to process biometric data (see Consent below).
Documentation
Controllers must maintain records related to any Consumer Data Rights requests for 24 months, and those need to contain the data of the request, the request type, the date of controller’s response, the nature of the Controller’s response, the basis for denial (if it was denied in whole or part) and the existence and resolution of any Consumer Appeal.
Controllers need to also maintain a record of any analysis with compliance (see Data Minimization above) for as long as the Processing occurs, and for three years afterward.
The Controller is required to implement and maintain reasonable security procedures and practices in the maintaining of all records.
Consent
Running seven pages (22-29, nearly 25% of the draft) Colorado defines when consent is needed and what valid consent looks like.
Consent is required when:
- Processing a Consumer’s Sensitive Data;
- Processing Personal Data concerning a known Child, in which case the Child’s parent or lawful guardian must provide Consent;
- Selling a Consumer’s Personal Data, Processing a Consumer’s Personal Data for Targeted Advertising, or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer after the Consumer has exercised the right to opt out of the Processing for those purposes; and
- Processing Personal Data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the Personal Data are Processed
The major call out above for most will be the required consent for processing of personal data for Targeted Advertising. Media and Marketing teams should consider what this means, should the resolutions become adopted.
Note however, that Controllers may rely upon valid consent obtained prior to July 1st, 2023 to continue to process previously collected personal data. Prior Consent is only considered valid however if it would comply with the requirements set forth in the Regulations. This means compliance teams need to determine if their consent strategy for Colorado is correct in light of the requirements, and potentially prompt for consent again after modifying their consent banners.
Further, if the Controller has collected Sensitive Data prior to July 1st, 2023 – and has not obtained valid consent to process Sensitive Data, then they have to obtain consent as required prior to January 1st, 2023 or cease processing until they have obtained valid consent.
So what is valid consent?
The regulations define this well over several pages but the definition offered is:
To be valid, a Consent must meet each of the following elements: (1) it must be obtained through the Consumer’s clear, affirmative action; (2) it must be freely given by the Consumer; (3) it must be specific; (4) it must be informed; and (5) it must reflect the Consumer’s unambiguous agreement
The regulations go on to give multiple examples of each of these scenarios, and what is required in each, including prompting for consent after a pre-existing opt-out, consent for children, and what refusing or withdrawing consent looks like.
Critically however, a Controller is required to refresh consent acceptance at regular intervals, and if the data is Sensitive in nature, at least annually.
The regulations define Dark Patterns over several pages, and make it clear that consent obtained while using Dark Patterns isn’t valid, and that the Dark Patterns themselves are prohibited.
Data Protection Assessments
Data Protection Assessments are common in many data privacy laws, and Colorado has included it in theirs as well. The Rules for this documentation span 4 pages, most of which are various requirements that must be included.
Worth mentioning here is a point about Procedural safeguards – which apply when Personal Data is obtained, including whether and how the Controller will obtain consent, whether and how the Controller will provide Consumers the opportunity to opt out of Processing and Whether and how the Controller will review web interfaces to be used in obtaining Consent for Dark Patterns.
Also noteworthy is requirements i, and j which spell out for the analysis to factor in privacy harms, such as those which may produce stigmatization or reputational injury, as well as covering Psychological harm, including anxiety, embarrassment, fear, and other mental trauma.
All in, the Colorado requirements go deeper and are more comprehensive than many other similar assessments and care should be taken to ensure a full proper analysis be completed to adhere to Colorado’s requirements. An analysis for Colorado may be sufficient for other regions, but it is unlikely that an analysis done for other regions will be sufficient for Colorado should the proposed regulations be adopted.
The controller additionally has to review and update the assessments on a periodic basis throughout the Processing’s lifecycle. If the Processing contains Processing for Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects then it needs to be reviewed and updated at least annually, and include an updated evaluation for fairness and disparate impact (see Profiling, below) and the results of any such evaluation.
Any time an assessment is updated – the Controller is required to store both the new, and the previous versions for as long as the Processing continues and for 3 years after the Processing ends.
The Controller must make such assessments available to the Attorney General within thirty days of the AG’s request.
Profiling
Spanning four pages, the regulation draft covers Profiling, including in special scenarios such as Profiling which produces legal effects, in which case the Data Protection Assessments described above, gain even more requirements. Should this be part of your business, it is strongly encouraged you review the details of Rule 9.
What’s Next?
The Colorado Attorney General will hold three meetings to discuss the proposed draft rules described above. If you have feedback, please attend one of the below sessions or submit written comments at https://coag.gov/resources/colorado-privacy-act/ during the comment period October 10th, 2022 through February 1st, 2023.
If you wish for your comment to be considered for the below meetings, it must be submitted by November 7th, 2022. If you wish for it to be considered for any proposed revisions, by January 18th, 2023.
Meeting Dates
- Date: Thursday, November 10, 2022
Topics: Consumer Rights and Universal Opt-Out Mechanisms - Date: Tuesday, November 15, 2022
Topics: Controller Obligations and Data Protection Assessments - Date: Thursday, November 17, 2022
Topics: Profiling, Consent, and Definition