Colorado: Analysing the finalised CPA rules
On 15 March 2023, the Colorado Attorney General's ('AG') Office announced it had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State. The CPA Rules will go into effect on 1 July 2023 - the same date the Colorado Privacy Act ('CPA') goes into effect.
The CPA Rules both operationalise the CPA and create additional compliance obligations for controllers, including in the areas of privacy notices, processing purposes, secondary uses, data minimisation, the processing of sensitive data inferences, Data Protection Assessments ('DPAs'), and profiling. David Stauss, Partner at Husch Blackwell LLP, identifies and discusses those areas and provides key takeaways for controllers that must comply with the CPA.
Controllers generally have 45 days to respond to requests, which is consistent with the timing in the CPA. One distinction is that requests to opt out should be processed 'as soon as feasibly possible and without undue delay'. If a controller denies a request, it must provide an explanation to the consumer with certain prescribed information.
The CPA requires that all requests, including opt-out requests, be authenticated. The CPA Rules further specify that controllers should use 'commercially reasonable methods' for authentication. The CPA Rules provide a list of factors that controllers should consider, including the type of right exercised, the type, sensitivity, value, and volume of personal data, the level of possible harm that improper access or use could cause, and the cost of authentication. Those familiar with the California Consumer Privacy Act of 2018, as amended ('CCPA') Regulations will recognise that the CPA Rules provide a more flexible standard for authentication than appears in the CCPA Regulations.
As with the CCPA Regulations, the CPA Rules contain additional requirements for responding to specific types of consumer requests, including requests to access, delete, and correct. The requirements are generally consistent with the CCPA Regulations. For example, like the CCPA Regulations, the Colorado CPA prohibit controllers from turning over certain types of sensitive information in response to access requests. This includes information, such as social security numbers and passwords. Controllers still must explain that they have this information.
Finally, for requests to opt out of sales and targeted advertising, the CPA Rules require controllers to provide an opt-out method either directly or through a link, in a clear, and readily accessible location outside their privacy notice. If a link is used, it must, among other things, take the consumer directly to the opt-out method, provide a clear understanding of the link's purpose, and allow the consumer to submit the request at any time. The CPA Rules state that the link can say 'Your Privacy Choices', which language is also found in the CCPA's alternative opt-out link regulation. For the right to opt out of profiling, controllers must provide a clear and conspicuous method for consumers to opt out at or before the time the profiling occurs.
Universal opt-out mechanisms
Starting 1 July 2024 (one year after the CPA goes into effect), controllers must recognise universal opt-out mechanisms ('UOOMs'). The CPA Rules provide extensive technical requirements for what qualifies as a recognised UOOM. For controllers, perhaps the most important takeaway from the CPA Rules is that the AG's Office will publish a list of recognised UOOMs no later than 1 January 2024. If the AG's Office later adds to the list, it will give controllers six months to recognise the new UOOM.
The CPA Rules also contain provisions dealing with how controllers can seek consumer consent to sell their personal data or engage in targeted advertising after a controller receives a UOOM. In doing so, the CPA Rules explain that a pop-up banner seeking consent to share personal data for targeted advertising is not a valid request for consent because the request degrades or obstructs the consumer's experience on the controller's web page or application. Instead, the AG's Office states that a controller's homepage could request consent by displaying a consumer's opt-out status at the top of the homepage next to a link that states 'Opt-In to Data Use'.
Duties of controllers
Rules 6.02 to 6.11 contain extensive requirements for controllers to adhere to when processing personal data. First, Rules 6.02 and 6.03 set forth requirements for privacy notices. These requirements are different than those found in the CCPA Regulations. Therefore, compliance with the CCPA Regulations will not be enough for compliance with the CPA Rules.
One notable requirement in Rule 6.03 is that controllers must identify the processing purpose in a level of detail that gives consumers an understanding of how each category of their personal data is used when provided for that processing purpose. That requirement must be read in conjunction with Rules 6.06, 6.07, and 6.08, which set forth the requirements for purpose specifications, data minimisation, and secondary use.
Rule 6.06A states that controllers must specify the 'express purposes for which each category of personal data is collected and processed in both external disclosures to consumers, including privacy notices […] as well as in any internal documentation'. Rule 6.07A further provides that controllers must 'carefully consider each processing purpose and determine the minimum personal data that is necessary, adequate, or relevant for the express purposes or purposes'. Finally, Rule 6.08 states that a controller must obtain consent before processing personal data for purposes that 'are not reasonably necessary to or compatible with specified processing purposes(s)'.
The takeaway is that controllers must carefully and thoughtfully ensure that their privacy notices contain accurate disclosures as to the purposes for which personal data is collected. In doing so, the CPA Rules forbid controllers from using broad disclosures or trying to include disclosures for future potential uses.
In addition, Rule 6.05 sets forth requirements for loyalty programs. In particular, Rule 6.05F identifies five disclosures that controllers must provide to consumers at the point of program registration. This information can be provided in a privacy notice or terms and conditions as long as the link provided to consumers takes them to the specific section of the document where the information can be found.
Finally, Rule 6.07 requires controllers to 'set specific time limits for erasure or to conduct a period review' to ensure that personal data is not kept longer than necessary, adequate, or relevant. Certain types of information, including biometric identifiers (defined in the CPA Rules), shall be reviewed at least annually to determine if storage is still proper. Sensitive data should be deleted or rendered permanently anonymised or inaccessible if consent is withdrawn.
The CPA requires controllers to obtain consumer consent for the processing of sensitive data. The CPA Rules expand this duty by creating an obligation for controllers to obtain consumer consent for the collection of sensitive data inferences. The CPA Rules define sensitive data inferences as inferences made by a controller based on personal data, alone or in combination with other data, which are used to indicate an individual's:
- racial or ethnic origin;
- religious beliefs;
- mental or physical health condition or diagnosis;
- sex life or sexual orientation; or
- citizenship or citizenship status.
For example, if a controller uses a consumer's precise geolocation data showing that they visited a church to infer their religious beliefs, that constitutes a sensitive data inference. Although the CPA Rules generally require controllers to obtain consent for the collection of sensitive data inferences, controllers can avoid obtaining consent for individuals over the age of 13 under certain circumstances.
To ensure that consent is informed, controllers must provide consumers with the controller's identity, the reason that consent is required, the processing purpose for which consent is sought, the categories of personal data that the controller shall process, the names of all third parties receiving sensitive data through a sale (if any), and a description of the right to withdraw consent. This information can be provided in a controller's general privacy notice so long as the link provided to the consumer takes the consumer to the specific section of the privacy notice with the required information.
Notably, controllers must refresh consent for certain processing activities every two years if they have not interacted with the consumer. However, controllers that provide consumers with the ability to update their opt-out preference at any time through a user-controlled interface do not need to refresh consent.
The CPA Rules, like the CPA, also prohibit controllers from using dark patterns to obtain consumer consent. The CPA Rules identify nine principles that controllers must adhere to for purposes of avoiding the use of dark patterns.
Data processing assessments
Another way in which the CPA Rules create additional obligations on entities that are not found in any other US state privacy law are the DPA requirements. The CPA Rules require DPAs to be a 'genuine, thoughtful analysis' that, at a minimum, describe 13 topics and involve all relevant internal actors and, where appropriate, external parties. DPAs must be completed before a controller initiates a processing activity, must be updated periodically, and can be requested by the state AG on 30 days' notice. If the processing activity includes profiling, the controller must consider additional factors.
Finally, the CPA Rules flesh out the requirements for controllers to provide consumers with the right to opt out of profiling. Under the CPA, consumers have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning them. The CPA defines profiling as 'any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements'. The CPA defines 'decisions that produce legal or similarly significant effects concerning a consumer' as a 'decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services'.
The CPA Rules require controllers to provide clear, understandable, and transparent information to consumers in the controller's privacy notice about the controller's profiling. This information includes what decision is subject to profiling, the categories of personal data at issue, an explanation of the logic used, how the profiling is relevant to the ultimate decision, and if the system has been evaluated for accuracy, fairness, or bias.
The CPA Rules also create three levels of automated processing, namely solely automated processing, human-reviewed automated processing, and human-involved automated processing. The difference in these levels comes down to how involved humans are (or are not) in the processing. For solely automated processing, no human is involved. For human-reviewed automated processing, a human is involved, but does not provide meaningful consideration (i.e. the human is more of a rubber stamp). For human-involved automated processing, the human provides meaningful consideration and has the authority to change or influence the outcome.
Ultimately, consumers have the right to opt out of solely automated or human-reviewed automated processing. Controllers do not have to provide the right to opt out of human-involved automated processing, but must provide a notice to consumers with a seven-part explanation.
Entities that are subject to the CPA will be required to engage in significant compliance activities. The CPA Rules operationalise the CPA, whilst also creating additional compliance obligations for controllers, including in the areas of controller duties, sensitive data processing, DPAs, and profiling.
David Stauss Partner
Husch Blackwell LLP, Denver