July 12, 2022

Colorado AG Privacy Rulemaking Session Highlights Areas of Concern

Holland & Knight Cybersecurity and Privacy Blog
Kristen N. Ricci | Ashley L. Shively | Mark H. Francis | Rachel Marmor

The office of the Colorado Attorney General (AG) heard informal input from members of the public on June 22 and 28, 2022, with regard to an upcoming rulemaking from the AG's office that will supplement the Colorado Privacy Act (CPA). The CPA was passed into law as Senate Bill 21-190 on July 7, 2021, and goes into effect on July 1, 2023, together with the forthcoming regulations. The rulemaking session highlighted the expressed interest of both the public and the Colorado AG to develop regulations that help businesses comply with the law by making processes simple and straightforward.

Prior to the hearings, the AG released Pre-Rulemaking Considerations for the Colorado Privacy Act to preview the AG's priorities and solicit public input on specific topics including universal opt-outs, consent, dark patterns, data protection assessments, profiling, the value of opinion letters and offline data collection.

As addressed at the public sessions and in the AG's prior comments, the AG intends to use the rulemaking process to clarify ambiguities in the statute and resolve areas of potential dispute. In particular, the following commentary was offered at the hearings by the public and the AG.

  • Promote Consistency: The AG has acknowledged the regulations should facilitate interoperability alongside existing and competing protections in other state, national and international laws. It would be beneficial for the Colorado AG to work alongside other state regulators to harmonize the regulations to the best extent possible.
  • Protect Innovation: The regulations should not unduly burden businesses from developing creative and adaptive solutions to address challenges presented by advances in technology.
  • Identify Dark Patterns: The CPA requires consent for the collection of sensitive personal information. It also prohibits businesses from obtaining such consent via a user interface designed to subvert or impair user autonomy or choice. While the definition provides some insight into the mindset of the AG, the definition is broad and subject to interpretation. Commentators agreed that the regulations should outline specific types of dark patterns that are prohibited and/or identify design choices that the AG would consider a dark pattern.
  • Avoid Use of a Specific Universal Opt-Out Mechanism: Commentators urged the AG to recognize that one size does not fit all and to permit various platforms and technology providers to develop opt-out signals. In turn, businesses should be able to select and implement a particular platform or tool that works best for its consumers.
  • Establish Criteria for Data Protection Impact Assessments: Commenters urged the AG to establish criteria for when a data protection impact assessment is required and identify heighted risk triggers that address real and quantifiable harms to consumers.
  • Clarify Use of Cookie Banners: It is unclear how businesses can obtain consent to sell personal data or engage in targeted advertising after receiving an opt-out. The AG should confirm that a business may use an existing cookie banner and consent management platform for these purposes.
  • Guide Data Brokers: Commenters urged the AG to draft regulations that guide businesses that obtain personal data from third-party sources on how to address and respond to consumer requests.

The Colorado AG is also soliciting informal comments through a website form for those interested in making a submission.

Draft regulations are set to be released this fall for notice and comment, with final regulations promulgated in early 2023. This will leave businesses with a few months to gear up for compliance before enforcement begins on July 1, 2023.

Related Insights