On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023.
There are certainly areas where the CPA rules align with the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act, or “CPRA”). That said, there are also several areas with material differences, requiring companies to treat California and Colorado consumers and their data differently, take the highest level of harmonization approach (where possible), or make risk-based decisions to follow one state’s requirements more prescriptively than the other. The CPA rules go into greater detail about topics like profiling and automated decision-making (where we are waiting on CCPA regs) and data protection assessments. However, California has said it will consider the Colorado standards when setting California standards on these topics. There are regs concerning Global Privacy Control, called the “universal opt-out mechanism” in the Colorado rules, that align to some extent with the CCPA’s regs. The privacy notice requirements in the final CPA rules align more closely with the CCPA’s requirements than they did in prior drafts, though there are material differences that will likely require many companies to update the privacy notices (that were already updated for January 1) between now and July 1.
Obligations on covered businesses are extensive, especially for data protection assessments. To summarize, controllers subject to the CPA will have to conduct data protection assessments when engaging in processing activities that present a heightened risk of harm to consumers. Generally, assessments must carry out a risk-benefit analysis and discuss safeguards that will be taken to offset the risks. The Virginia Consumer Data Protection Act (“VCDPA”) and Connecticut’s Public Act No. 22-15 (known as the “CTPA”) also have data protection assessment obligations, but the CPA rules go further and obligate twelve explicit inquiries that must be discussed, with an additional twelve that are required if the activity in question is profiling. Look for a blog post soon of the specifics of what will be required of privacy impact assessments.
US Privacy Legislation Landscape
To recap, the CPA is one of five state privacy laws (six, if Iowa’s governor signs its Consumer Data Privacy Bill into law, which was passed by the state’s legislature yesterday, later this month, and seven if you count Nevada’s online privacy and data broker law). Other than California, Colorado is the only state with a mandate for regulations to detail consumer privacy law implementation.
As states develop a patchwork of consumer privacy laws, there have been calls for a single federal standard. Last year there was a federal bill that was introduced in the House of Representatives on June 21, 2022 and amended by the Committee on Energy and Commerce on December 30, 2022, called the American Data Privacy and Protection Act (“ADPPA”) which initially seemed like it was getting some traction. However, the ADPPA failed to come to a vote in the full House of Representatives, and it is unclear what will happen with the bill in light of the new Congress. We previously reported on the ADPPA here.
As for California’s privacy regulations, the California Privacy Protection Agency (“CPPA”) voted last month to send the final proposed text of regulations to the Office of Administrative Law (“OAL”) to review and approve or reject the regulations, which were sent to the OAL on February 14, 2023. The proposed regulations have not yet been approved by the OAL, but given the 30-business-day timeline to which the OAL is subject, its approval will likely happen in the very near future. In the meantime, the CPPA has initiated preliminary rulemaking activities on the topics of cybersecurity audits, risk assessments, and automated decision-making. Public comments are being accepted now through March 29, 2023 on these topics. For more information on the status of CPRA regulations, see our previous post here.
With five (soon to be six!) comprehensive state consumer privacy laws, and corresponding rulemaking activity, compliance can be tricky. To assist, SPB can offer guidance materials on the state laws and best practices, as well as in-depth guidance on both the CPRA regulations and CPA rules obligations to active clients. Privacy World will also continue to cover legislative and rulemaking updates.