Colorado Releases Proposed Privacy Rules, Further Complicating National Compliance Landscape

The Colorado Department of Law filed a set of proposed rules to implement the Colorado Privacy Act (Draft CO Rules) on Sept. 29, 2022, foreshadowing additional compliance obligations that businesses will have to strive to meet in 2023. The level of detail in the document – which is nearly 40 single-spaced pages in 10-point font – stands in stark contrast to the underlying law, which is high level and largely parrots the Virginia Consumer Data Protection Act (VCDPA). Though the Draft CO Rules are not as proscriptive as the proposed California Consumer Privacy Act (CCPA) rules regarding consumer-facing requirements, the Draft CO Rules focus much more heavily on data governance and management of sensitive data.

Because the Colorado Privacy Act does not go into effect until July 1, 2023, the rules are not on track to be finalized until sometime in the first half of 2023. However, businesses will likely need to immediately assess how the obligations fit into their compliance roadmap in light of ongoing work to comply with VCDPA and the California Privacy Rights Act (CPRA) amendments to CCPA, by Jan. 1, 2023 – both of which cover many of the same topics. Many of the proposed requirements of the Draft CO Rules are likely to take significant time to implement, particularly the data management requirements, which may have a tail of a year or more. To add to the complications, the timing of the final CCPA Rules is entirely uncertain, as the California Privacy Protection Agency (CPPA) already missed the July 1, 2022, statutory deadline for finalization.

Key Takeaways

• The Draft CO Rules are meaty, covering a range of topics in complex detail, from consumer-facing compliance (disclosures, handling requests and opt-out mechanisms), handling sensitive data, data minimization and purpose limitations, data protection impact assessments and restrictions related to profiling.
• The language of the Draft CO Rules is softer than the CCPA Rules – a number of rules are phrased as "may" instead of "must." But they also contain different rules for different permutations of situations – for example, one set of requirements for a pre-opt out from profiling disclosure, and another set of requirements for seeking consent for profiling after an opt-out.
• The Draft CO Rules would create a new class of "Sensitive Data Inferences" and add extra restrictions to the collection, creation and processing of such data.
• The Draft CO Rules contemplate a framework for data management wherein the organization has, in a centralized function, a detailed understanding of the ways in which data is collected, used and disclosed.

Analysis

The consumer-facing compliance requirements draw heavily from the draft CCPA Rules.

The Draft CO Rules contain a number of specifications to ensure that required disclosures are consumer-friendly, such as requirements to avoid legal jargon, publish disclosures in the languages in which the controller ordinarily does business and make disclosures accessible to consumers with disabilities (Rule 3.02(A)) – all requirements of the CCPA Rules. The requirements for submission of consumer requests do not materially differ from the CCPA Rules either (Rule 4.02). Two new aspects of the Draft CO Rules: a requirement to provide data in response to an access request in the language in which the consumer interacts with the business (Rule 4.04(c)(2)) and permission to direct consumers to self-service correction options (Rule 4.05(B)).

The Draft CO Rules take a slightly different approach to universal opt-out mechanisms.

Like the CCPA Rules, the Draft CO Rules devote a lot of text to the concept of an opt-out preference signal that is automatically communicated to businesses. The approach differs in a few material ways from the CCPA Rules, however. The Draft CO Rules contemplate that the Colorado Department of Law will issue a list of approved mechanisms – whereas the CCPA Rules would require recognition of any signal that is commonly recognized and indicates an intent to opt out. The Draft CO Rules also contemplate that a universal opt-out mechanism may be a "do not sell list" that businesses query on a regular basis – perhaps similar to how national and state Do Not Call Lists under the Telephone Consumer Protection Act (TCPA) operate.

Rules on purpose specification and data minimization would require granular tracking of processing activities.

The Draft CO Rules seem to require something more than the standard "How We Use Your Information" section in a privacy policy. Businesses would be required to "specify the express purposes" for which data is collected and processed in terms that are "sufficiently unambiguous, specific, and clear" such that they can be understood by the "average Consumer" and "enforcement authorities" (Rule 6.06). Businesses would also be required to conduct and document a "data minimization" analysis of each processing activity to assess whether the activity meets the requirement to use only the minimum personal information necessary, adequate and relevant for the express purpose (Rule 6.07).

Strict restrictions would apply to the processing of "Sensitive Data Inferences."

The Draft CO Rules create a new concept called "Sensitive Data Inferences," which are inferences that indicate an individual's racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status (Defined Terms at 2.02). Businesses must obtain consent to process Sensitive Data Inferences (Rule 6.10(A)), unless a four-part test is met:

1. the purpose of the processing is obvious to a "reasonable Consumer"
2. both the underlying personal data and the Sensitive Data Inferences are deleted within 12 hours of collection or completion of the processing activity
3. the data is not sold or even shared with any processors
4. the data is not processed for any secondary purpose (Rule 6.10(B))

If the business will collect consent – which almost all will – the Draft CO Rules set forth extensive requirements for consent (Rule 7), including that it must be refreshed at regular intervals (Rule 7.08).

DPIAs must be a "genuine, thoughtful analysis" of risks and benefits.

The Colorado Privacy Act requires that businesses conduct a "data protection impact assessment," (DPIA) where a processing activity presents a "heightened risk of harm." Colo. Rev. Stat. 6-1-1309(1). Rule 8.04 of the Draft CO Rules sets forth 18 pieces of information that must be included in the DPIA and offers 11 different privacy risks that businesses must consider. The DPIA must be updated regularly throughout the time the processing activity is conducted – at least annually if the DPIA relates to Profiling in furtherance of "Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer" (Rule 8.05). While the Colorado Privacy Act does not require retroactive DPIAs for processing activities commenced before July 1, 2023, the Draft CO Rules would effectively eviscerate that exception by treating an activity as "new" if changes are made in the way an internal system handles personal data or a processor is changed (among other triggers) (Rule 8.05(D)).

Profiling

If a business uses automated processing to further "Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer," it must designate a method for individuals to opt out of such decisions (Rule 9.04(D)). The business must also provide the consumer with a notice that includes a "plain language explanation of the logic used in the Profiling process" and whether the system has been evaluated for "accuracy, fairness, or bias" (Rule 9.03(A)). The business can deny a request to opt out if there is human involvement in the automated processing, but if it does, it has to provide another notice (Rule 9.04).

What Happens Next?

A number of stakeholder hearings have been scheduled for November 2022 on different topics covered by the Draft CO Rules, and stakeholders can also submit written comments. A full public hearing has been scheduled for Feb. 1, 2023 – meaning that it will be several months before there is clarity as to what will be included in the final rules.

If you have questions about the potential impacts to your business, please contact the authors or another contact the authors or another member of Holland & Knight's Data Strategy, Security & Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.