What’s Changed in the New Colorado Privacy Act (CPA) Draft Rules
Privacy & Compliance | October 19, 2022
The Colorado Privacy Act has been law since 2021, but the language of the law has yet to be finalized, even with the effective date of July 1st, 2023 fast approaching. Now, it looks like Colorado businesses and citizens have received some long awaited clarification on the law. Last month, the Colorado Attorney General’s office published 38 pages of proposed Colorado Privacy Act regulations that amend definitions and provides clarity on the existing text of the law.
In this blog, we’ll detail some of the most striking changes and additions put forth in the proposal.
What is the Colorado Privacy Act (CPA)?
The Colorado Privacy Act (CPA) is the third of five comprehensive state-level privacy acts to pass in the United States, preceded by the California Consumer Privacy Act and Virginia’s Consumer Data Privacy Act, and was followed by laws in Connecticut and Utah.
The Colorado Privacy Act (CPA) was designed to reduce harm to data subjects and create and uphold privacy rights for consumers and make data controllers act in ways that allow consumers to exercise those rights.
The CPA establishes the following five rights for Colorado citizens:
- The right to opt-out of their data being sold or used for targeted advertising or profiling.
- The right to know about the data use and access the data.
- The right to correct inaccuracies.
- The right to delete data.
- The right to get a copy of the data in a readily usable, easily transferrable format. They can exercise this right up to twice in a calendar year.
Whenever a data subject asks to exercise any of these rights, the data controller must respond as soon as possible. If they cannot do so within 45 days, they must tell the data subject they will need longer. In this case, the deadline extends to a maximum of 90 days.
Data subjects must be allowed to exercise these rights without creating an account or facing discrimination on price or service, and data controllers must respond to requests to exercise these rights in a timely fashion.
The CPA became law on 8 July 2021 and takes effect from 1 July 2023. The law also includes a “sunset” mechanism which will remove a “heal period” for fixing violations and introduce a “universal opt-out” mechanism for data sales.
What Changes to the CPA Do the Draft Rules Propose?
Changes to Definitions: Biometric Data Defined
The new draft rules put forth several new and amended definitions for terms including biometric data, data broker, human-involved automated processing, human-reviewed automated processing, sensitive data inference, and more
Most notably, the draft rules create a new definition for biometric data, which is considered sensitive data under the CPA, and requires prior consent for processing. Under the draft rules, “biometric data” is defined as “Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes. Unless such data is used for identification purposes, “Biometric Data” does not include (a) a digital or physical photograph, (b) an audio or voice recording, or (c) any data generated from a digital or physical photograph or an audio or video recording.”
“Biometric Identifiers” are defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.”
Expanded Rules for Opt-Out Requests
The draft rules also expand upon the opt-out requirements of the CPA. According to the text, controllers must provide a “…clear and conspicuous…” opt-out link either in their privacy notice or in a readily-accessible location elsewhere that is “positioned in an obvious location of a website or application, such as the header or footer of a Controller’s internet homepage, or an application’s app store page or download page.” That link must take a consumer directly to the opt-out method the user must be given a clear understanding of its purpose
The draft rules set a deadline of 15 days for the cessation of processing activities following an opt-out request.
Universal Opt-Out Mechanism Specifications
The original text of the CPA introduced the concept of a universal opt-out method (UOOM), a tool by which customers can communicate their opt-out rights to all data controllers without requiring individualized requests, which is to be recognized as a method for opting out of data sales by 2025, but gave no technical specifications and did not define the requirements for their recognition.
Now, language in the draft rules has outlined some technical specifications, as well as requirements for the state to maintain a public list of recognized UOOMs. Controllers will be required to recognize UOOMs as of July 1st, 2024.
Privacy Notice Requirements
The draft rules set forth specific requirements for privacy notices and make some changes to existing requirements.
In their privacy policies, controllers will be required to identify every purpose for data processing “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing purpose.” Privacy processes also must detail the categories of personal data processed, and those that are sold or shared with third parties, along with the names of the third parties who receive said data.
Notices should also give a list of the CPA’s privacy rights along with instructions on submitting requests, among other requirements.
It’s important to note that the draft rules do not require organizations to maintain a separate, Colorado-specific privacy notice, so long as the primary privacy notice adheres to the rules of the CPA.
Changes to Consent Management Requirements
The CPA does not require consent for data processing, instead operating on an opt-out consent model, which aims to make consumers aware of processing activities and give them the option to revoke consent.
However, the CPA does require positive, opt-in consent for the processing of sensitive data, which is defined as data regarding race, religion, sex, citizenship, physical or mental health, biometric data, or data about someone known to be a child.
The draft rules also introduce a new category of sensitive data called ‘sensitive data inferences’ which is defined as “inferences made by a Controller based on Personal Data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.”
Controllers must also obtain consumer consent before processing personal data for a secondary purpose from that disclosed at the time of collection.
According to the draft rules, that consent must be obtained through “clear, affirmative action,” by the user that is freely given, specific, and informed. Consent may also be withdrawn at any point.
So-called ‘dark patterns’ are also covered in the draft ruling, which prohibits the use of “an interface design or choice architecture that has the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.”
When will the Colorado Privacy Act be Finalized?
Though the CPA was passed in July of 2021, it is not slated to go into effect until July 2023. The AG’s Office will stakeholder meetings on the draft rules on November 10, 15, and 17, 2022, and will hold public hearing on February 1, 2023. Following the public hearing the AG’s Office has 180 days to file the adopted rules with the Secretary of State, and those rules will go into effect twenty days after publication.
That would seem to potentially put the law on track to be finalized for July 2023, but there are some potential slowdowns in the legislative process.
A cost-benefit analysis may be requested by any member of the Colorado public, but this may only be done prior to the public hearing on February 1st. And, up to 15 days before the hearing, any member of the public may also request that the Colorado Office of Policy, Research & Regulatory Reform conduct a regulatory analysis.
Does my Organization Need to Comply with the Colorado Privacy Act?
The CPA applies to any organization that meets the following criteria for both location and the number of data subjects:
- The organization either does business in Colorado or that it produces products or services that are targeted at Colorado residents.
- The organization controls or processes the data of at least 100,000 Colorado consumers in a year. This falls to 25,000 if the organization profits from the selling of personal data.
Unlike in other state privacy laws, there is no minimum revenue requirement or exemption for non-profit organizations, although government data processing is exempt, as is data already covered by federal privacy laws such as HIPAA.
If your organization meets these criteria, you need to comply with the CPA whenever you process personal data about a Colorado consumer.
Both the Attorney General of Colorado and the state’s District Attorneys have authority to enforce the CPA, and violators could face penalties of up to $20,000 per violation. However, until 2025, there is a ‘heal period’ which gives controllers accused of a violation 60 days to remediate the issue.
How CHEQ Can Help
The CPA is just one in a series of state-level and international laws that bring new rights to consumers as well as new responsibilities—and penalties— for businesses and marketers. CHEQ now offers organizations a solution to help build a fully compliant website and simplify compliance with the Colorado Privacy Act, as well as the CCPA, CDPA, and GDPR.
With Ensighten Privacy by CHEQ you can geo-target opt-out of sale links for Colorado consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Privacy is easy to use and does not reply on integrations or APIs for complaince. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.