On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other state laws, veer sharply away from the approaches being taken in California in many respects.

Rulemaking Process Timeline 

The Colorado AG will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022. The stakeholder meetings are a forum for the AG to gather feedback from a broad range of stakeholders and aid in the development and finalization of the Rules to implement the CPA. Written comments for stakeholder meetings must be submitted by November 7, 2022.

In addition, the AG may host additional opportunities for public input beyond those listed above if it determines doing so is prudent or necessary to revise the Rules and incorporate stakeholder input. The dates and times of these additional sessions will be announced via the CPA rulemaking mailing list and on the AG’s website.

On February 1, 2023, the AG will hold a public hearing at 10:00 am CST. The hearing will be conducted both in person and by video conference. All interested parties must register to attend the public hearing, which can be done through the AG’s website. Interested parties can also testify at the rulemaking hearing and/or submit written comments through the online CPA rulemaking comment portal.

The February 2023 hearing date marks the end of the public comment period (unless the AG makes substantial modifications to the Rules that would require the rulemaking process to be completed a second time). After the hearing, the AG will have 180 days to file adopted Rules with the Colorado Secretary of State for publication in the Colorado Register. The Rules will then take effect twenty days after publication. The CPA itself goes into effect on July 1 of next year.

Content Highlights

The draft Rules are organized into nine parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (“UOOM”); (6) controller duties; (7) consent; (8) data protection assessments (“DPAs”); and (9) profiling.

While we will be posting a more in-depth analysis of the draft Rules shortly, a few of the more notable aspects of the Rules that jump out immediately are:

  • Privacy Notice Content Requirements: The draft Rules set forth granular requirements as to the content that will be required in CPA-compliant privacy notices. Interestingly, while the Colorado AG has repeatedly emphasized interoperability with other state laws, such as California, the privacy notice requirements encompassed within the draft Rules are tied to processing purposes, rather than categories of personal information, representing a markedly different approach than the current California Consumer Privacy Act (“CCPA”) and proposed, draft California Privacy Rights Act (“CPRA”) regulations. Pursuant to the Rules, each processing purpose must be described “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing Purpose.
  • UOOM Specifications: The draft Rules introduce detailed technical and other specifications regarding the UOOM, Colorado’s version of the global privacy control (“GPC”) concept, which includes requirements for browser/device-based opt-outs, along with a publicly available “Do Not Sell” list akin to the “Do Not Call” list maintained by the FCC.
  • Profiling: The draft Rules prescribe detailed provisions regarding profiling in furtherance of decisions that produce legal or similarly significant effects. We do not yet have CPRA regulations on this topic.
  • Sensitive Data Inferences Duty: The draft Rules create a new category of sensitive data known as “Sensitive Data Inferences,” which means “inferences made by a Controller based on Personal Data, alone or in combination with other data, which individuate an individual’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.” Under the Rules, controllers are limited to processing such inferences only under certain circumstances and must ensure that any inferences of this nature are deleted within 12 hours of collection.
  • Explicit Data Retention Schedule Requirement: The draft Rules also provide that in order to ensure that personal data is “not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” In practice, this means that companies subject to compliance with the CPA will need to create data retention and destruction schedules if they do not already have one in place.

Stay Tuned For More

Please stay tuned for further analysis on these and other provisions in the draft Colorado regs.

Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below. Continue Reading California and Colorado Privacy Regulators Provide Updates on Rulemaking

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

With the stroke of his pen on July 7, Governor Jared Polis (D) signed the Colorado Privacy Act (CPA or Act) into law, making the Centennial State the third U.S. state to pass comprehensive consumer privacy legislation.  The Act, passed by the legislature on June 8, is a combination of elements of California and Virginia consumer privacy laws, possibly creating a harmonization model for other states to follow.  For a comprehensive comparison of the three states’ laws click here.   The CPA will be enforceable as of July 1, 2023.

This week new privacy legislation was signed by the Colorado governor–The Colorado Privacy Act, which will effect on July 31, 2023.  It requires businesses to give consumers the ability to access, correct, delete and opt out of the sale of their personal information or processing of this data for targeted advertising and profiling purposes.  However, the statute does not include a private right of action.  Instead, it entrusts sole authority to the state’s attorney general and district attorneys to enforce the law.

Alan Friel provided expert insights to Law360 on this development which you can access here.  And stay tuned later today as Alan Friel and his privacy pros will be providing a comprehensive breakdown of this new data privacy statute and what it all means.

 

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations | Consumer Privacy World

Protecting Electronic Communications Networks and Services from Cyber-Attack and Data Breach: Enhanced Obligations and Board-level Accountability | Consumer Privacy World

CPW’s Kristin Bryan Recognized as a Lexology Legal Influencer | Consumer Privacy World

DMA: EU Publishes The New Digital Markets Act | Consumer Privacy World

BREAKING: Plaintiff Prevails In First BIPA Class Action Jury Trial | Consumer Privacy World

We Have an EO, but Not (Yet) a New Transfer Mechanism | Consumer Privacy World

Registration Open: 12th International Cybersecurity Symposium – Creating Trusted Cybersecurity Actions for the Social, Economic, and National Security Domains | Consumer Privacy World

Charles Helleputte and Team Joins our Data Privacy Practice | Consumer Privacy World

SEC Reopens Comment Period on Proposed Data Breach Disclosure and Cybersecurity Governance Rules | Consumer Privacy World

Biden Administration Issues Executive Order for Privacy Shield Replacement | Consumer Privacy World

Supreme Court to Hear Pair of Cases Concerning Immunity Under Section 230 of the Communications Decency Act | Consumer Privacy World

Online-Only Businesses Are Not a Place of Public Accommodation: California State Appellate Court Follows the Ninth Circuit in ADA-Related Ruling | Consumer Privacy World

BREAKING: Former Uber CSO Convicted of Criminal Obstruction and Concealment of a Felony for 2016 Data Breach Cover Up | Consumer Privacy World

Available Now: CPW’s Kristin Bryan, Christina Lamoureux, and Margaret Booz Co-Author Lexis Practice Note on Biometric Privacy and Artificial Intelligence Legal Developments | Consumer Privacy World

White House Office of Science and Technology Policy Releases AI Bill of Rights | Consumer Privacy World

Colorado Privacy Act Proposed Draft Rules Released | Consumer Privacy World

Passage of Federal Privacy Bill Remains Possible This Year, Remains a Continued Priority | Consumer Privacy World

Webinar Registration Open: Mitigating Cybersecurity Class Action Litigation Risks: Policies, Procedures, Service Providers, Notification, Damages | Consumer Privacy World

Kyle Fath appointed to Connecticut Privacy Legislation Working Group | Consumer Privacy World

FCC Adopts Rulemaking Proposal to Protect Consumer Privacy From Invasion by Unwanted Text Messages | Consumer Privacy World

Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations | Consumer Privacy World

“Delaware Ruling Highlights Challenges Of Data Breach Biz Disputes” Article, Co-Authored by CPW’s Kristin Bryan, Jesse Taylor and Caroline Dzeba, is Published on Law360 | Consumer Privacy World

 

This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!

We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized.  The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Biden Administration Issues Executive Order for Privacy Shield Replacement | Consumer Privacy World

Supreme Court to Hear Pair of Cases Concerning Immunity Under Section 230 of the Communications Decency Act | Consumer Privacy World

Online-Only Businesses Are Not a Place of Public Accommodation: California State Appellate Court Follows the Ninth Circuit in ADA-Related Ruling | Consumer Privacy World

BREAKING: Former Uber CSO Convicted of Criminal Obstruction and Concealment of a Felony for 2016 Data Breach Cover Up | Consumer Privacy World

Available Now: CPW’s Kristin Bryan, Christina Lamoureux, and Margaret Booz Co-Author Lexis Practice Note on Biometric Privacy and Artificial Intelligence Legal Developments | Consumer Privacy World

White House Office of Science and Technology Policy Releases AI Bill of Rights | Consumer Privacy World

Colorado Privacy Act Proposed Draft Rules Released | Consumer Privacy World

Passage of Federal Privacy Bill Remains Possible This Year, Remains a Continued Priority | Consumer Privacy World

Webinar Registration Open: Mitigating Cybersecurity Class Action Litigation Risks: Policies, Procedures, Service Providers, Notification, Damages | Consumer Privacy World

Kyle Fath appointed to Connecticut Privacy Legislation Working Group | Consumer Privacy World

FCC Adopts Rulemaking Proposal to Protect Consumer Privacy From Invasion by Unwanted Text Messages | Consumer Privacy World

Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations | Consumer Privacy World

“Delaware Ruling Highlights Challenges Of Data Breach Biz Disputes” Article, Co-Authored by CPW’s Kristin Bryan, Jesse Taylor and Caroline Dzeba, is Published on Law360 | Consumer Privacy World

Third Circuit Announces Standard for Determining Accuracy of Credit Reports Under FCRA | Consumer Privacy World