On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other state laws, veer sharply away from the approaches being taken in California in many respects.

Rulemaking Process Timeline 

The Colorado AG will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022. The stakeholder meetings are a forum for the AG to gather feedback from a broad range of stakeholders and aid in the development and finalization of the Rules to implement the CPA. Written comments for stakeholder meetings must be submitted by November 7, 2022.

In addition, the AG may host additional opportunities for public input beyond those listed above if it determines doing so is prudent or necessary to revise the Rules and incorporate stakeholder input. The dates and times of these additional sessions will be announced via the CPA rulemaking mailing list and on the AG’s website.

On February 1, 2023, the AG will hold a public hearing at 10:00 am CST. The hearing will be conducted both in person and by video conference. All interested parties must register to attend the public hearing, which can be done through the AG’s website. Interested parties can also testify at the rulemaking hearing and/or submit written comments through the online CPA rulemaking comment portal.

The February 2023 hearing date marks the end of the public comment period (unless the AG makes substantial modifications to the Rules that would require the rulemaking process to be completed a second time). After the hearing, the AG will have 180 days to file adopted Rules with the Colorado Secretary of State for publication in the Colorado Register. The Rules will then take effect twenty days after publication. The CPA itself goes into effect on July 1 of next year.

Content Highlights

The draft Rules are organized into nine parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (“UOOM”); (6) controller duties; (7) consent; (8) data protection assessments (“DPAs”); and (9) profiling.

While we will be posting a more in-depth analysis of the draft Rules shortly, a few of the more notable aspects of the Rules that jump out immediately are:

  • Privacy Notice Content Requirements: The draft Rules set forth granular requirements as to the content that will be required in CPA-compliant privacy notices. Interestingly, while the Colorado AG has repeatedly emphasized interoperability with other state laws, such as California, the privacy notice requirements encompassed within the draft Rules are tied to processing purposes, rather than categories of personal information, representing a markedly different approach than the current California Consumer Privacy Act (“CCPA”) and proposed, draft California Privacy Rights Act (“CPRA”) regulations. Pursuant to the Rules, each processing purpose must be described “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing Purpose.
  • UOOM Specifications: The draft Rules introduce detailed technical and other specifications regarding the UOOM, Colorado’s version of the global privacy control (“GPC”) concept, which includes requirements for browser/device-based opt-outs, along with a publicly available “Do Not Sell” list akin to the “Do Not Call” list maintained by the FCC.
  • Profiling: The draft Rules prescribe detailed provisions regarding profiling in furtherance of decisions that produce legal or similarly significant effects. We do not yet have CPRA regulations on this topic.
  • Sensitive Data Inferences Duty: The draft Rules create a new category of sensitive data known as “Sensitive Data Inferences,” which means “inferences made by a Controller based on Personal Data, alone or in combination with other data, which individuate an individual’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.” Under the Rules, controllers are limited to processing such inferences only under certain circumstances and must ensure that any inferences of this nature are deleted within 12 hours of collection.
  • Explicit Data Retention Schedule Requirement: The draft Rules also provide that in order to ensure that personal data is “not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” In practice, this means that companies subject to compliance with the CPA will need to create data retention and destruction schedules if they do not already have one in place.

Stay Tuned For More

Please stay tuned for further analysis on these and other provisions in the draft Colorado regs.

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

Kyle Fath, partner in the firm’s Data Privacy, Cybersecurity & Digital Assets group and Los Angeles Office, was appointed this month to serve on the Connecticut Data Privacy Act (CTDPA) working group by the joint standing committee of the Connecticut General Assembly.

Continue Reading Kyle Fath appointed to Connecticut Privacy Legislation Working Group

We head into the fourth quarter on the heels of the first public California Consumer Privacy Act (CCPA) civil penalty, while also looking ahead to the new state privacy laws in Virginia, Colorado, Connecticut, and Utah and the significant updates that the California Privacy Rights Act (CPRA) will bring to the CCPA. Considering that regulations are yet to be finalized in both California and Colorado, it is no surprise that some businesses are uncertain regarding how to proceed. To help businesses address both current risks, as demonstrated by recent enforcement, as well as the “new” 2023 privacy requirements, we have developed guidance materials, including high-level workstreams, covering the following topics:

  1. Preparing for the 2023 State Privacy Laws
  2. HR and B-to-B Data CCPA/CPRA Compliance Primer
  3. Lessons from the First CCPA Civil Penalty Case
  4. Takeaways from the First Draft of Revised CCPA/CPRA Regulations

Click here to download the guidance. More detailed guidance and workstreams, as well as model materials with customization support, are available to clients. Contact your SPB relationship partner for more information.

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

In the absence of any progress at the federal level, states have taken matters into their own hands with the introduction of proposed consumer privacy legislation geared toward placing greater protections over consumers’ sensitive personal data. 2021 was a busy year for state legislatures, with both Virginia and Colorado enacting new consumer privacy statutes of their own. 2022 brought more of the same, with Utah and Connecticut adding their names to the growing list of states that now have laws on the books granting consumers extensive rights regarding the collection and use of their personal data while at the same time imposing wide-ranging obligations on companies that handle that same data.

Continue Reading CPW’s David Oberly Examines Recent Major Changes to Consumer Privacy Legal Landscape in Latest Issue of the Cincinnati Bar Association’s <em>CBA Report</em> Magazine

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

Earlier this month CPW’s Kristin Bryan and Kyle Fath presented a webinar on “AI and Biometrics Privacy: Trends and Developments” with the International Association of Privacy Professionals (“IAPP”), the largest global community of privacy professionals.  A recording of that webinar is available to all IAPP members and available (for CPE credit) here.

As summarized in the program description on the IAPP website:

Artificial intelligence and biometrics privacy are top-of-mind issues for companies and their privacy professionals, regardless of the industry sector in which they operate. AI will soon be regulated in the U.S. in an unprecedented manner: The patchwork of 2023 state privacy laws imposes restrictions and obligations on organizations carrying out AI, profiling and automated decision-making processes, and the Federal Trade Commission is poised to promulgate regulations on automated decision-making and related topics. Organizations employing facial recognition and other biometrics technologies are under the constant threat of putative privacy class-action litigations under Illinois’ Biometric Information Privacy Act and a handful of other state laws. With BIPA copycats and similar legislation introduced across the country, and a lack of clarity in the current case law, the risk associated with biometrics will certainly continue, and likely increase. Needless to say, global developments in these areas add further complexity to organizations with international operations.

The program addresses, among others:

  • AI, biometrics and privacy compliance — Restrictions on and obligations under forthcoming privacy laws in California, Colorado, Utah and Virginia, including with respect to profiling, automated decision-making, and sensitive data.
  • AI and biometrics litigation overview — The current litigation landscape concerning AI and biometrics, including facial recognition.
  • Legislative and regulatory priorities — Pending and anticipated legislative and regulatory developments, both federal and state, as well as globally.

Kristin and Kyle are also covering on CPW key developments regarding AI and biometric privacy in the realm of regulation, compliance and litigation.  You can check out their analyses of these issues here, here and here, with contributions from David Oberly and other team members.

For more on this, stay tuned.  CPW will be there to keep you in the loop.