United States: Colorado's Draft Privacy Regulations Raise Compliance Challenges

On September 30, 2022, the Colorado Attorney General ("AG") published draft regulations under the Colorado Privacy Act ("CPA"). The 38 page draft is quite detailed, proposing specific requirements on privacy policy disclosures, consumer rights, data protection assessments, dark patterns and "profiling," some of which will be a substantial compliance lift for many companies. While many businesses have focused on the looming January 1, 2023, deadline for compliance with the California Privacy Rights Act, the draft CPA rules signal that Colorado intends to become a significant privacy enforcer in its own right.  

Stakeholders may comment on the proposed regulations from October 10, 2022, to February 1, 2023, when the Colorado AG will hold a public hearing on the draft rules.  In advance of the rulemaking hearing, the department is holding additional virtual stakeholder meetings will take place in November, with comments due by November 7, 2022.  The final form of the regulations and the CPA itself become effective on July 1, 2023, except those provisions relating to universal opt-out mechanisms, which will be enforceable as of July 1, 2024. 

Below we highlight some key provisions of the proposed rules.

Privacy Policy Requirements

First, the good news: the draft regulations do not specifically require data controllers (i.e., entities that control the means and purposes of processing personal data) to create a Colorado-specific section of their privacy policy so long as the policy contains all of the required Colorado disclosures.  The bad news, however, is that Colorado's requirements are very different from other states like California that focus on the categories of information collected rather than the specific processing purposes.  The Colorado rules would require controllers to describe each processing purpose in enough detail to give consumers a "meaningful understanding" of how their personal data will be processed and why that data is "reasonably necessary" to achieve that processing purpose. For each processing purpose, the privacy policy must describe, (1) the categories of personal data processed; (2) the categories of personal data that the controllers sell to or share with third parties, if any; and (3) the categories of third parties to whom the controller sells, or with whom the controller shares personal data, if any.

The draft regulations also require companies to give at least 15 days' notice to consumers before making "substantive or material changes" to a privacy policy.  Substantive changes include the categories of information processed, processing purposes, the controller's identity, and any methods of exercising consumer rights.  These requirements may well trigger a significant increase in the number of "privacy policy update" emails that need to be sent to consumers.

Data Protection Assessments

The draft rules contain detailed requirements for conducting data protection assessments going beyond most other current regulations.  The regulations describe a data protection assessment as "a genuine, thoughtful analysis" that, (1) identifies and describes all processing risks that present a "heightened risk of harm" to consumers, (2) documents measures considered and taken to address those risks, and (3) demonstrates that the contemplated benefits of processing outweigh the risks, as offset any by safeguards in place.  The rules describe eighteen topics that comprise the "minimum" requirements for these assessments, including the processing activity, its purpose, the types of personal data processed including any sensitive data, why the data to be processed is appropriately limited to the purpose, the names and categories of any third-party recipients of the data, and a detailed description of the potential harms to consumers from the processing, along with safeguards to address those harms (among other things). Assessments must be completed before commencing a processing activity, must be reviewed and updated periodically, and are subject to turnover to the AG upon demand within 30 days. 

Profiling

The proposed rules contain further requirements for "profiling," which the CPA defines as any form of automated processing of personal data to evaluate, analyze, or predict "personal aspects" of consumers' "economic situation, health, personal preferences, interests, reliability, behavior, location, or movements." Controllers will need to make disclosures in their privacy policy specifically about any profiling activities, and must comply with detailed requirements allowing consumers to opt-out.  Additional data protection assessment requirements also apply to profiling activities.

Personal Data Rights and Opt-Out Mechanisms

The draft regulations contain detailed provisions about how controllers must receive and respond to consumer requests to exercise their individual rights under the CPA. Such rights include rights of access, correction, deletion, and data portability, as well as the right to opt-out of processing for purposes of targeted advertising, the sale of personal data, or certain types of profiling. Many of these requirements will be familiar to those that have already dealt with implementing the California Consumer Privacy Act.  Because, unlike California, it appears Colorado will not mandate separate opt-out links with specific names, it is possible that providing a single opt-out link will comply with both laws.

As of July 1, 2024, the CPA will require controllers to allow consumers to exercise their opt-out rights through a universal opt-out mechanism, such as an operating system or browser extension tool, that clearly communicates a consumer's "affirmative, freely given, and unambiguous" choice to opt-out.  The rules describe detailed procedures for complying with the universal opt-out requirement, and Colorado will ultimately publish a list of state-recognized opt-outs by April 2024.

Other Topics

The rules address a host of other provisions, such as detailed requirements for obtaining consent (necessary for processing sensitive data under the CPA), requirements for "bona fide loyalty programs," prohibitions against the use of "dark patterns," data minimization requirements, and a general duty of care, among other things.

These proposed regulations should be a wake-up call for those who may not have paid as much attention to Colorado during the run-up to the CPRA.  The Colorado AG has clearly signaled its intention to become a major privacy enforcer, and stakeholders should prepare given the final rules will likely be both complex and prescriptive. 

If you have questions about these proposed regulations, or other questions about state or federal data protection obligations, please contact any member of the Baker Botts Privacy and Data Security team.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.