Colorado Attorney General publishes proposed privacy act rules

Proposed Colorado Privacy Act rules were published in the Colorado Register and on the Colorado Secretary of State’s website, drafted according to statute by the Colorado Attorney General’s Office. The office is encouraging the public to provide feedback on the rules’ contents.

The Colorado Privacy Act protects state residents’ privacy in part by granting them rights to access the data that companies have collected about them and to dictate whether and how companies can continue to collect, store, use or sell their personal information. It also requires companies to be transparent about how they use personal data and to take precautions to reduce the risk that their data collection and use might pose to consumers. The law also grants the attorney general the authority not only to hold entities accountable for failing to comply with their obligations, but also to draft rules that would clarify the act’s requirements and provide guidance for compliance.

The Department of Law invites comments from all members of the public regarding the proposed draft rules during the rulemaking process. Pre-rulemaking, informal input was considered during the drafting process, and the comment submission portal is now open  to the public for the formal rulemaking. Comments will be made part of the rulemaking record and will be posted online.

Members of the public will also be able to provide oral comment through three virtual stakeholder meetings, which will take place on Nov. 10, 15, and 17, 2022. In addition to written and oral comments, the department will hold a rulemaking hearing at 10 a.m. Feb. 1, 2023. The hearing will be conducted both in person and by video conference.

The department invites public comment on any provisions included in the proposed draft rules, including:

• Definitions: Part 2 of the draft rules includes definitions and clarifications of key terms used in the CPA and draft rules, including “biometric data,” “bona fide loyalty programs” and “publicly available information.”
• Consumers’ personal data rights: Part 4 of the draft rules describes how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling.
• Universal opt-out mechanisms: Part 5 of the draft rules outlines the technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis.
• Duties of entities using consumers’ data: Part 6 of the draft rules elaborates on the duties of entities that use and control consumers’ personal data, including obligations to safeguard personal data and protect consumer privacy.
• Bona fide loyalty programs: Rule 6.05 clarifies disclosures and limitations associated with the user of Coloradan’s personal data for bona fide loyalty programs, or programs that offer discounts, rewards or other actual value in exchange for personal data.
• Consent: Part 7 of the draft rules clarifies the requirements for obtaining consent from Coloradans prior to specific uses of personal data and addresses the prohibition against obtaining consumer agreement through unclear or ambiguous means, often called “dark patterns.”
• Data protection assessments: Part 8 of the draft rules describes the required scope, contentand timing of data protection assessments, which controllers must complete before using personal data for activities that present a heightened risk of harm to consumers.
• Profiling: Part 9 of the draft rules addresses when and how controllers must respond to consumers request to opt-out of specific kinds of automated profiling as well as what controllers must include in data protection assessments when conducting automated profiling.

Among other things, controllers’ privacy notices must include specific methods through which a consumer may submit requests to exercise data rights. Under the proposed rule, the controller would have to:

• Consider the ways in which consumers normally interact with the controller.
• Comply with requirements provided in 4 CCR 904-3, Rule 3.01.
• Use reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09, when exchanging information in furtherance of data rights requests, considering the volume, scope and nature of personal data that may be exchanged.
• Be easy for consumers to execute, requiring a minimal number of steps; and
• Not use dark patterns, as defined by C.R.S. § 6-1-1303(9) and prohibited by 4 CCR 904- 3, Rule 7.09.

The data rights request method would not have to be specific to Colorado, but the request method would have to:

• Clearly indicates which rights are available to Colorado consumers.
• Provide all data rights available to Colorado consumers.
• Provide Colorado consumers a clear understanding of how to exercise their rights.
• Meets all other requirements of this part, 4 CCR 904-3, Rule 4.02.

The rule would require controllers to comply with an access request “by providing the consumer all the specific pieces of personal data it has collected and maintains about the consumer, including without limitation, any personal data that the controller’s processors obtained in providing services to the controller.”

Additionally, it states, “To comply with a data portability request, a controller must transfer to a consumer the personal data it has collected and maintains about the consumer through a secure method in a commonly used electronic format that enables the consumer to have complete access to and full enjoyment of the personal data, including, but not limited to, the capacity to save, edit, and transfer the personal data to any other person or platform at consumer’s discretion.”

A controller is required to respond to a consumer’s data right request in compliance with the timing provisions of C.R.S. § 6-1-1306(2)(a)-(b).

“If a controller decides not to act on a consumer’s data right request, the controller’s response to the consumer must include the basis for the controller’s decision, including but not limited to (1) any conflict with federal or state law; (2) the relevant exception to the Colorado Privacy Act; (3) the controller’s inability to authenticate the consumer’s identity; (4) any factual basis for a controller’s good-faith claim that compliance is impossible; or (5) any good-faith, documented belief that the request is fraudulent or abusive.”

The proposed rule provides several principles for privacy notices. These include:

• Complying with all requirements for disclosures and communications to consumers provided in 4 CCR 904-3, Rule 3.01.
• being concrete and definitive, as well as clearly labeled.
• Being easily accessible.
• Being specific, allowing a consumer “to understand, in advance or at the time of the processing, the scope of the controller’s processing operations, such that a consumer should not be taken by surprise at a later point about personal data that has been collected and the ways in which personal data has been processed.

Under the proposed rules, controllers would have to specify the purposes for which personal data are collected and processed in external disclosures to consumers as well as in any internal documentation required. Additionally, it states, “To ensure all personal data collected is reasonably necessary for the specified purpose, controllers shall carefully consider each processing purpose and determine the minimum personal data that is necessary, adequate, or relevant for the express purpose or purposes. Such assessment shall be documented according to 4 CCR 904-3, Rule 6.11.”

Controllers would be required to maintain records of all consumer data rights requests made pursuant to C.R.S. 6-1-1306 for at least 24 months. The records would have to include, at a minimum, the following:

• The date of request.
• The consumer data rights request type.
• The date of the controller’s response; The nature of the controller’s response.
• The basis for the denial of the request if the request is denied in whole or in part.
• The existence and resolution of any consumer appeal to a denied request.

The proposed rule would require a data protection assessment be a genuine, thoughtful analysis that: 1) identifies and describes all risks posed by processing that presents a heightened risk of harm to a consumer; 2) documents measures considered and taken to address and offset those risks, including those duties required by C.R.S. § 6-1-1308; 3) contemplates the benefits of the processing; and 4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.”

It would require that the depth, level of detail, and scope of data protection assessments be proportionate to the size of the controller, amount and sensitivity of personal data processed, and personal data processing activities subject to the assessment.

The data protection assessment would have to describe, at minimum, the following:

• The processing activity.
• The specific purpose of the processing activity.
• The specific types of personal data to be processed as well as the sources and amount of personal data collected, how long the personal data will be maintained, and whether it includes sensitive data, including personal data from a known child as described in C.R.S. § 6-1-1303(24).
• How the personal data to be processed is adequate, relevant, and limited to what is reasonably necessary in relation to the specified purpose.
• Operational details for the processing, including planned processes for personal data collection, use, storage, retention, and sharing, and the technology or processors to be used.
• Names and categories of personal data recipients, including third parties, affiliates, and processors that will have access to the personal data.
• The relationship between the controller and the consumer(s) whose personal data will be processed.
• The expectations of the consumer(s) concerning how their personal data will be used, including expectations based on privacy notices, consent disclosures and unique vulnerabilities.
• Procedural safeguards to be afforded to the consumer when personal data is obtained.
• Alternative processing activities considered to achieve the same purpose.
• The sources and nature of risks to individual consumers and broader consumer groups posed by the processing activity.
• Measures and safeguards a controller will put into place to mitigate risks and comply with C.R.S. § 6-1-1308.
• If a controller is processing personal data for profiling as contemplated in C.R.S. § 6-1- 1309(2)(a), a data protection assessment of that processing activity must also comply with 4 CCR 904-3, Rule 9.06.
• If a controller is processing sensitive data pursuant to the exception in Section 4 CCR 904-3, Rule 6.10, the details of the process implemented to ensure that personal data and sensitive data Inferences are not transferred and are deleted within 12 hours of the personal data processing activity subject to the exception, as well as the auditing procedure for this process.
• The benefits of the processing that may flow to the controller, consumer, and other expected stakeholders, and how the benefits outweigh the risks, as mitigated by safeguards, and justify the processing activity.
• Relevant internal actors and external parties contributing to the data protection assessment.
• The data protection assessment review process, including whether any internal or external audit was conducted, and if so, the name of the auditor, the names and positions of individuals involved in the review process, and the details of the audit process.
• Dates the data protection assessment was reviewed and approved, and names, positions, and signatures of the individuals responsible for the review and approval.

Written comments will be accepted until Feb. 1, 2023. Under the privacy act, rules can be enforced starting July 1, 2023.