The Attorney General of Colorado has published a draft of proposed rules related to implementing the Colorado Privacy Act, and the public is being asked to comment on the proposal.
A copy of the Notice of Proposed Rulmaking can be accessed by clicking here.
The state has also scheduled a number of what it calls “stakeholder sessions” which will be virtual meetings to discuss the proposed rules. The sessions will be held on November 10, November 15, and November 17. The November 10 session will cover consumer rights and universal opt-out mechanisms, the November 15 session will cover controller obligations and data protection assessments, and the November 17 session will cover profiling, consent, and definitions.
The law is scheduled to go into effect July 1, 2023.
While the Colorado Privacy Act does not include a private right of action, it does include the right for residents of the state to access, correct, and delete the personal data held by organizations that are subject to the law. Residents will also have the right to opt out of receiving personalized offers based on their data and prevent their data from being sold.
Among the specific provisions the AG’s office is seeking comment from the public on are:
- Definitions: Part 2 of the draft rules includes definitions and clarifications of key terms used in the CPA and draft rules, including “biometric data,” “bona fide loyalty programs,” and “publicly available information.”
- Consumers’ personal data rights: Part 4 of the draft rules describes how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling.
- Universal opt-out mechanisms: Part 5 of the draft rules outlines the technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis.
- Duties of entities using consumers’ data: Part 6 of the draft rules elaborates on the duties of entities that use and control consumers’ personal data, including obligations to safeguard personal data and protect consumer privacy.
- Bona fide loyalty programs: Rule 6.05 clarifies disclosures and limitations associated with the user of Coloradan’s personal data for bona fide loyalty programs, or programs that offer discounts, rewards, or other actual value in exchange for personal data.
- Consent: Part 7 of the draft rules clarifies the requirements for obtaining consent from Coloradans prior to specific uses of personal data, and addresses the prohibition against obtaining consumer agreement through unclear or ambiguous means, often called “dark patterns.”
- Data protection assessments: Part 8 of the draft rules describes the required scope, content, and timing of data protection assessments, which controllers must complete before using personal data for activities that present a heightened risk of harm to Consumers.
- Profiling: Part 9 of the draft rules addresses when and how controllers must respond to consumers request to opt-out of specific kinds of automated profiling as well as what controllers must include in data protection assessments when conducting automated profiling.