The Colorado Attorney General's Office released the final version of its rules implementing the Colorado Privacy Act (CPA) on March 15. The CPA was enacted on July 7, 2021 and the first draft of the implementing rules were released in October 2022. We discussed the CPA here and the first draft of the rules here. The Colorado Attorney General's office solicited comments from the public on the proposed rules and cycled through two iterations before publishing this final version (we discussed a previous draft here).
The final rules maintain the structure and baseline requirements of the previous drafts, and although many of the changes to the final draft are ministerial, a number contain substantial clarifications and refinements. Below, we have highlighted both those changes that are likely to increase compliance burdens and those that are likely to decrease compliance burdens on companies subject to the CPA. The rules will become effective on July 1, 2023.
Notable Changes Likely to Increase Compliance Burdens
- Controllers may request consent to process data for purposes that are not reasonably necessary to or compatible with one another using a single consent request but are also required to provide a more granular consent mechanism within the same interface that allows the customer to consent to each of the separate processing purposes. This rule also clarifies that the sale of sensitive data to one party is not necessary to or compatible with the sale of that data to a different party. This may mean that Controllers will need to provide customers with the ability to consent to the sale of sensitive data to each third party to whom the Controller sells data.
- Controllers must instruct processors to assist in complying with consumer rights requests, rather than merely notifying processors of the request, as was required in previous drafts.
- Controllers will be obligated to honor requests from any of the universal opt-out mechanisms included in a list to be maintained by the Colorado Department of Law and will be given six months' notice to comply with new mechanisms that are added to the list.
- In website privacy notices, rather than the "type" of third party with whom a Controller sells or shares data, the Controller must describe the business model or processing conducted by such third parties.
- Compliance records and records of rights requests must be retained for at least 24 months.
- In addition to having to annually review biometric information that they maintain, Controllers will also be required to review digital or physical photographs and audio or voice recordings of people to ensure "that storage is still necessary, adequate, or relevant to the express processing purpose."
Notable Changes Likely to Decrease Compliance Burdens
- When complying with data portability requests, Controllers are no longer required to ensure that consumers have "complete access to and full enjoyment of the personal data" but must instead ensure that "to the extent technically feasible," the data is "readily usable and allows the consumer to transmit personal data to another entity without hindrance."
- In website privacy notices, Controllers are required to include the purposes for which personal data is processed, but the final rules remove the requirement that "the express purpose must be detailed enough to enable the implementation of necessary data security safeguards and allow for compliance with the law to be assessed."
- Consumer requests submitted through a universal opt-out mechanism are limited to requests to restrict processing for the purposes of targeted advertising and the sale of personal data.
- Controllers are not required to comply with consumer requests with regard to de-identified data.
- If Controllers do not know the identity of a consumer submitting an opt-out request such that the Controller is unable to opt the Consumer out of the Processing of offline or other connected Personal Data, Controllers are now permitted to request additional information about that consumer. If Controllers are not able to verify the identity of the customer, they are not required to honor the request.
- Although Controllers may not refuse consent to the detriment of consumers, the final rules clarify that "if a Consumer refuses to Consent to, or withdraws consent for the Processing of Sensitive Data or Personal Data strictly necessary for a program, product or service, the Controller is no longer obligated to provide that program, product or service."
- When a customer has not interacted with the Controller for 24 (increased from 12) months, the Controller must refresh its consents.
DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws, including the CPA, and we continue to monitor the rapid development of state and federal privacy laws and regulations.