Colorado Finalizes Regulations for Colorado Privacy Act

On Wednesday, March 15, the Colorado Attorney General’s Office announced the finalization of the Colorado Privacy Act Rules (“Rules”). The Rules implement the Colorado Privacy Act (CPA), a comprehensive privacy law enacted in 2021. Both the CPA and the Rules will enter into effect on July 1, 2023.

Businesses should familiarize themselves with the Rules, as they clarify and expand upon the requirements articulated in the CPA. Moreover, while the Rules cover much of same ground as the California Privacy Rights Act (CPRA) regulations recently approved by the California Privacy Protection Agency (CPPA), the two regulatory frameworks differ in several important respects. Most notably, the Colorado Rules addresses two topics — data protection assessments and profiling — that California regulators are only beginning to consider, while the CPRA regulations include provisions specific to enforcement and third-party processing absent from the Colorado Rules. Thus, while companies can leverage their CPRA-specific compliance programs to align with many of the Colorado requirements, the overlap will not be comprehensive.

Below, we provide a summary of the Colorado Privacy Act Rules’ major provisions and notable differences between the Rules and the CPRA regulations. We are happy to answer any questions that you have about Colorado privacy law compliance.

MAJOR PROVISIONS & COMPARISON WITH CPRA

The key provisions of the Rules remains largely similar to the “Version 3” proposed rules shared by the Colorado Department of Law in late January. As we have previously written, the Rules address topics including consumer personal data rights, universal opt-out mechanisms, controller duties (with a particular focus on privacy notices and loyalty programs), consumer consent (focusing especially on dark patterns), data protection assessments, and controller use of profiling. Interestingly, the Rules address topics across the full span of the CPA, despite the statute only requiring rules pertaining to opt-out mechanisms.

The Rules are perhaps most notable in providing implementation guidance and illustrative examples on several topics only briefly addressed in the text of the CPA. These areas of the Rules will be particularly useful for companies attempting to navigate the CPA from a compliance perspective:

• Universal opt-out mechanisms (Part 5): The CPA requires that, beginning on July 1, 2024, controllers allow consumers to exercise their rights to opt-out of the processing of their personal data for purposes of targeted advertising or sale through a “universal opt-out mechanism.” Part 5 of the Rules, among other things, details the technical specifications for these universal opt-out mechanisms and explains how the Colorado Department of Law will maintain a public list of opt-out mechanisms that satisfy those specifications.
• Loyalty programs (Rule 6.05): The Rules greatly expand on the CPA’s brief reference to customer loyalty programs, explaining the contexts in which companies may permissibly terminate a loyalty benefit for a customer who exercises data rights relevant to those benefits. For instance, the regulations explain that, if a consumer exercises their right to delete, “such that it is impossible for the Controller to provide a certain Bona Fide Loyalty Program Benefit to the Consumer, the Controller is no longer obligated to provide that Bona Fide Loyalty Benefit to the Consumer.” The Rules also provide a list of “loyalty program disclosures” that applicable controllers must make and offer a series of illustrative examples for companies to consider in determining their compliance.
• Consent and dark patterns (Rule 7): The Rules include a lengthy section addressing user consent, and in particular devote an entire section to the concept of dark patterns, providing a series of nine principles that controllers should “consider[] when designing a user interface or a choice architecture used to obtain Consent,” including, for example, presentation of symmetrical choices, avoidance of “emotionally manipulative language or visuals,” not using “preselected or default option[s],” and considering the “unique characteristics of the target audience.” In tackling dark patterns in greater depth, Colorado joins other privacy regulators – including the CPPA and FTC – in devoting an increased focus to this issue.
• Data protection assessments (Rule 8): The Rules provide additional guidance for companies seeking to comply with the CPA’s mandate that companies conduct data protection assessments for processing activities that “present[] a heightened risk of harm” to consumers. In particular, the Rules catalog the content that these assessments must include and provide details about the timing of these assessments. This is an area that the Colorado Rules explore in greater depth than the CPRA regulations, which do not include any specifications regarding data protection assessments. Indeed, as we have previously noted, the topic of cybersecurity risk assessment is one that the CPPA is only now just starting to examine, having issued an invitation for preliminary public comments on the topic in early February. Notably, in that invitation, the CPPA expressly asked for feedback regarding adopting Colorado’s approach in this area, suggesting that California regulators may look, at least in part, to Colorado as a model in devising its cyber risk assessment regulations.
• Profiling (Rule 9): Finally, the Rules greatly expand on the CPA’s profiling requirements. Most notably, the Rules specify what profiling-related disclosures controllers must make in their privacy notices, explaining that such disclosures must address, among other things, the decisions that are subject to profiling, the categories of data that will be processed as part of said profiling, whether the relevant profiling system “has been evaluated for accuracy, fairness, or bias,” and the “benefits and potential consequences of the decision based on the Profiling.” This is another area where the Colorado Rules go beyond what the CPRA regulations currently include — profiling and automated decision-making were additional subjects of the CPPA’s recent invitation for preliminary public comments.

As noted above, the Colorado Rules go beyond the CPRA regulations in several respects, most notably tackling two topics (data protection assessments and profiling) that California regulators are only in the early stages of addressing. However, there are at least two major issues addressed in the CPRA regulations that the Colorado Rules do not address.

1. Enforcement: Most notably, whereas the CPRA regulations will be administered by a dedicated agency (the CPPA), Colorado’s regulations establish no such specialized entity, and will instead be enforced simply by the Colorado Attorney General and district attorneys, as appropriate. Without a dedicated agency devoted to privacy, then, we suspect that the pace of Colorado privacy enforcement activities and regulatory updates will be slower than that seen in California.
2. Requirements for service providers, contractors, and third parties: The CPRA regulations also include a dedicated section addressing requirements for service providers, contractors, and other third parties, including contract requirements guiding these parties’ handling of personal information. No equivalent section exists in the Colorado Rules.

Authors

Kirk J. Nahra