Colorado, as the third US state to enact comprehensive privacy legislation, is making significant progress in its rulemaking activities. On April 12, 2022, the Colorado Attorney General’s Office released prepared remarks by Colorado Attorney General (AG) Phil Weiser and released its pre-rulemaking considerations, opening invitations to comment on eight important topics before rule-making. In his remarks, AG Weiser highlighted guiding principles of the Colorado Privacy Act (CPA), as well as key topics requiring comment. Below is a selection of takeaways that businesses should consider and prepare if they are subject to the CPA. The CPA will come into force on July 1, 2023.
The guiding principles of the ACP.
The CPA and its rule-making activities (the “Rules”) are guided by five main principles:
- Promotion of consumer rights. The Rules must protect consumer rights;
- Clarification of ambiguities. Rules should promote compliance and minimize conflict, where possible;
- Efficiency. The rules should help controllers and processors to effectively comply with the law;
- Harmony. The rules should facilitate interoperability between competing protective laws created by other national and international frameworks; and
- Innovation. The rules should not impose an undue burden on creativity and innovation.
The CPA is open to public comments.
In the context of these Guiding Principles, the Colorado Department of Law (the “Department”) has released its pre-rulemaking considerations, opening invitations to comment on the following eight notable topics.
- Universal refusal. Universal opt-out mechanisms (UOOM) are technical measures that consumers can exercise to opt out of their personal data. During this pre-rule development process, the Department is seeking input on strategies for developing protocols and/or tools that can address UOOMs. Comments include whether the tools should be tailored to different categories such as browsers or operating systems, and how the UOOM tool will handle consumer authentication.
- Consent. Under the CPA, “consent” means “a clear and affirmative act signifying the given free, specificinformed and unambiguous agreement, for example by a written declaration, including by electronic means, or by any other clear affirmative action” (emphasis added). The Ministry seeks comments on the textual definition of a “clear affirmative act”, “freely given” and “specific”. In addition, the Department would like to know if the existing mechanisms for establishing consent would appropriately serve consumer consent.
- Dark patterns. The CPA defines dark models as “a user interface designed or manipulated with the substantial effect of subverting or impairing the user’s autonomy, decision-making, or choice.” An example of a dark pattern is an unobtrusive “unsubscribe” link on a company‘s homepage. The Department is seeking advice on the principles, frameworks and tools available to mitigate dark patterns. He also seeks information and research demonstrating the impact of dark patterns.
- Data Protection Assessments (DPAs). A DPA is a process that helps companies identify a project’s data protection risks and mitigate those identified risks. Similar to the GDPR, under the CPA, activities that could result in high risk would require companies to make DPAs. CPA includes targeted advertising, sale of personal data, processing of sensitive data and processing for profiling purposes among these high-risk activities. The Department is now seeking advice regarding the additional circumstances in which a DPA would be requested, and whether it should follow an existing model such as the EU (GDPR) model, enterprise risk management approaches or models. environmental impact statement. The Department is also considering interoperability between DPAs and whether it should accept DPAs as appropriate where those DPAs have been conducted in other jurisdictions such as the EU.
- Profiling. According to the CPA, profiling is “any form of automated processing of personal data aimed at evaluating, analyzing or predicting personal aspects relating to economic situation, health, personal preferences, interests, reliability, behaviour, the locations or movements of an identified or identifiable person. The ACP is considering what mechanisms would meaningfully enable consumers to understand the automated processing of their personal data so that they can make informed ‘opt-out’ decisions and whether these mechanisms should vary depending on the type of automated decision-making . Additionally, the Department is seeking information from other jurisdictions regarding effective profiling mitigation and automated decision-making.
- Opinion letters and interpretation advice. The CPA authorizes the AG to adopt rules governing a process for issuing op-eds and interpretive advice effective January 1, 2025. The Department invites comments regarding the type of interpretive advice the rules should provide and how the process of obtaining interpretative advice should look like.
- Offline data collection. Some companies collect data through non-electronic means, such as signing a sidewalk petition. The Department is considering whether offline data collection is also subject to the Rules and would justify seeking consents and UOOM.
- Protecting Coloradodans in a national and global economy. The CPA and Rules are intended to protect Coloradans participating in national and global markets and networks. The Department is seeking comments regarding the differences as well as the overlap and interoperability between the CPA and the laws of other jurisdictions.
From this list of topics, AG Weiser highlighted three in his remarks: UOOMs, dark models, and DPAs, further emphasizing the importance of these to Colorado businesses. This fall, the Department will begin the formal notice and comment rulemaking phase by providing a notice of rulemaking and an accompanying draft rulebook. The notice and comment phase will include at least one formal hearing as well as the ongoing opportunity to submit comments.