The Colorado Attorney General’s Office released “Preliminary Considerations in Developing Rules for Colorado’s Privacy Law,” ahead of the formal notice and comment phase of the new law. The AG’s Office is seeking informal public comment on Colorado’s Privacy Act (CPA) with the goal of ensuring that interested parties can provide CPA-related comments, perspectives, and expertise. .
Topics within the CPA on which the office specifically seeks feedback are:
- Universal refusal – The CPA gives Colorado consumers the “right to object to the processing of personal data.” This consideration aims to address “universal opt-out mechanisms” and “technical measures” that should be implemented for consumers to exercise their rights. The questions relate to the potential use of specific protocols or specifications, including available mechanisms and tools currently built into browsers, browser add-ons, and operating systems that could allow consumers to opt out.
- Consent – Under the CPA, there are instances where a controller cannot process personal data unless they first obtain consent from the consumer. The AG’s office is investigating what constitutes consent under the CPA in certain contexts and potential methods/mechanisms for obtaining consent from consumers.
- dark patterns – The CPA states that agreements obtained using “dark patterns” do not constitute consent. According to the CPA’s definition, dark models are “a user interface designed or manipulated with the substantial effect of subverting or impairing the user’s autonomy, decision-making, or choice.” The GA office invites feedback, including on standards or principles that could be used to avoid the inadvertent use of dark patterns, specific types of dark patterns that should potentially be prohibited, and tools/frameworks that could be used to identify dark patterns.
- Data Protection Assessments – The CPA requires data controllers to carry out data protection assessments when carrying out processing that presents an “increased risk of harm to a consumer. The AG’s office is working to determine the circumstances under which a DPA should be requested, the existing templates that could be used, and what information should be contained in DPAs.
- Profiling and “legal or similarly significant effects” – The CPA grants consumers the right to object to profiling, which is defined as “any form of automated processing of personal data for the purpose of evaluating, analyzing or predicting personal aspects relating to economic situation, health, personal preferences, an identified or identifiable person’s interests, reliability, behavior, locations, or movements.” AG’s office invites comments on specific applications of profiling, potential negative impacts of immediately disabling a consumer profiling and other special considerations that may apply to disabling profiling in specific areas defined by law.
- Opinion Letters and Interpretation Tips – Under the CPA, the AG is authorized to make rules “governing a process for issuing opinion letters and interpretative advice.” Questions posed by the AG’s office include the type of interpretive advice that should be provided by the rules, the process for obtaining interpretive advice, and whether there is an existing interpretive advice process being used. elsewhere that could be used.
- Offline and off-web data collection – The GA office seeks feedback on how to manage data collected by non-electronic methods. Examples of non-electronic methods include “filling out a rental form, signing a sidewalk petition, or buying a magazine subscription.” Questions posed by the AG include how the rules should deal with offline data collection and the challenges of maintaining consumer privacy preferences in online interactions.
- Protecting Coloradodans in a National and Global Economy – This topic focuses on comparing/contrasting the CPA with privacy legislation in other jurisdictions. The AG’s office seeks feedback on how the CPA fits in with other laws and anything that could potentially be emphasized within the CPA to meet the best interests of Coloradans.
The GA office will follow these principles when approaching rulemaking:
- Promote consumer rights
- Clarify ambiguities
- Facilitate effective and timely compliance
- Allow innovation
Companies should be satisfied with these guiding principles as a whole and more specifically with the principle of harmonization which aims to ensure that the CPA is consistent with other state, national and international frameworks.
The CPA comes into force on July 1, 2023.