On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other state laws, veer sharply away from the approaches being taken in California in many respects.
Rulemaking Process Timeline
The Colorado AG will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022. The stakeholder meetings are a forum for the AG to gather feedback from a broad range of stakeholders and aid in the development and finalization of the Rules to implement the CPA. Written comments for stakeholder meetings must be submitted by November 7, 2022.
In addition, the AG may host additional opportunities for public input beyond those listed above if it determines doing so is prudent or necessary to revise the Rules and incorporate stakeholder input. The dates and times of these additional sessions will be announced via the CPA rulemaking mailing list and on the AG’s website.
On February 1, 2023, the AG will hold a public hearing at 10:00 am CST. The hearing will be conducted both in person and by video conference. All interested parties must register to attend the public hearing, which can be done through the AG’s website. Interested parties can also testify at the rulemaking hearing and/or submit written comments through the online CPA rulemaking comment portal.
The February 2023 hearing date marks the end of the public comment period (unless the AG makes substantial modifications to the Rules that would require the rulemaking process to be completed a second time). After the hearing, the AG will have 180 days to file adopted Rules with the Colorado Secretary of State for publication in the Colorado Register. The Rules will then take effect twenty days after publication. The CPA itself goes into effect on July 1 of next year.
The draft Rules are organized into nine parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (“UOOM”); (6) controller duties; (7) consent; (8) data protection assessments (“DPAs”); and (9) profiling.
While we will be posting a more in-depth analysis of the draft Rules shortly, a few of the more notable aspects of the Rules that jump out immediately are:
- Privacy Notice Content Requirements: The draft Rules set forth granular requirements as to the content that will be required in CPA-compliant privacy notices. Interestingly, while the Colorado AG has repeatedly emphasized interoperability with other state laws, such as California, the privacy notice requirements encompassed within the draft Rules are tied to processing purposes, rather than categories of personal information, representing a markedly different approach than the current California Consumer Privacy Act (“CCPA”) and proposed, draft California Privacy Rights Act (“CPRA”) regulations. Pursuant to the Rules, each processing purpose must be described “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing Purpose.
- UOOM Specifications: The draft Rules introduce detailed technical and other specifications regarding the UOOM, Colorado’s version of the global privacy control (“GPC”) concept, which includes requirements for browser/device-based opt-outs, along with a publicly available “Do Not Sell” list akin to the “Do Not Call” list maintained by the FCC.
- Profiling: The draft Rules prescribe detailed provisions regarding profiling in furtherance of decisions that produce legal or similarly significant effects. We do not yet have CPRA regulations on this topic.
- Sensitive Data Inferences Duty: The draft Rules create a new category of sensitive data known as “Sensitive Data Inferences,” which means “inferences made by a Controller based on Personal Data, alone or in combination with other data, which individuate an individual’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.” Under the Rules, controllers are limited to processing such inferences only under certain circumstances and must ensure that any inferences of this nature are deleted within 12 hours of collection.
- Explicit Data Retention Schedule Requirement: The draft Rules also provide that in order to ensure that personal data is “not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” In practice, this means that companies subject to compliance with the CPA will need to create data retention and destruction schedules if they do not already have one in place.