CPA Update: Assessing the Impact of the Colorado Privacy Act Draft Rules

4 minute read. Learn about the latest updates to the Colorado Privacy Act.

On September 30, 2022, the Colorado Attorney General’s office published proposed Colorado Privacy Act (CPA) rules, a lengthy set of regulations that may significantly expand the CPA’s requirements and will require businesses to carefully examine their compliance obligations.

Although Colorado Attorney General Phil Weiser hoped to adopt final rules in 1Q23, his office will not hold its public hearing until February 1, 2023, which means that Colorado is still months from finalizing its regulations.

In its current form, the rules clarify aspects of the legislation, consumer requests for example, but also introduce complexity around things like data protection assessments and profiling. More specifically, the draft rules:

• Require controllers to obtain consent for the collection of biometric data but do not define the term
• Clarify how controllers must receive and respond to consumer requests, which is similar to the California Consumer Privacy Act (CCPA)
• Focus privacy notice requirements on processing purposes, which differs from the CCPA’s focus on categories of personal information. This difference will likely create interoperability challenges
• Require controllers to notify consumers of substantive and material changes to privacy notices 15 days before the changes go into effect.
• Introduce extensive disclosure requirements for bona fide loyalty programs and define unified opt out mechanism (UOOM) requirements
• Suggest that controllers must create and enforce document retention schedules
• Create a new category called “sensitive data inferences” and require the deletion of these inferences from individuals over 13 years of age no later than 12 hours after collection if they are collected without consent
• Provide an in-depth analysis of how to obtain user consent
• Contain extensive requirements on how to perform data protection assessments

Privacy Notices

The draft rules do not require businesses to provide a Colorado-specific privacy notice or section of a privacy notice as long as the notice contains all of the information required by the rules and “makes clear” that Colorado residents are entitled to the rights provided in section 1306 of the CPA. Notices must be posted online using the word “privacy.”

Privacy notices must provide:

• A list of the CPA’s privacy rights
• Instructions on submitting requests
• An explanation of the controller’s authentication procedure

By July 1, 2024, privacy notices must include:

• An explanation of how the controller recognizes UOOMs
• Information regarding the treatment of sensitive data inferences
• The controller’s contact information
• Instructions on the controller’s appeal process
• The date the privacy notice was last updated

Loyalty Programs

Businesses that provide bona fide loyalty programs, defined as “a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing discounts, rewards, or other actual value to Consumers that voluntarily participate in that program,” must disclose the:

• Categories of personal data collected through the program that will be sold or processed for targeted advertising
• Categories of third parties that will receive the consumer’s personal data, including whether personal data will be provided to data brokers
• Value of the bona fide loyalty program benefits available to the consumer if the consumer opts out of the sale of personal data or processing of personal data for targeted advertising
• Value of the bona fide loyalty program benefits available to the consumer if they do not opt out
• List of program benefits that require the processing of personal data for sale or targeted advertising and the third party receiving the personal data and providing each such program benefit

Data Minimization

The rules state that personal data “are not kept longer than necessary, adequate, or relevant,”

suggesting that businesses must create and enforce document retention schedules. Any personal data “determined no longer to be necessary, adequate or relevant to the express Processing purpose(s) shall be deleted by the Controller and any Processors.” Businesses must also review the retention of biometric identifiers annually.

Consent

The CPA will require businesses to obtain consumer consent for the processing of sensitive data. When the CPA goes into effect on July 1, 2023, businesses can use previously obtained consent if it complies with certain statutory requirements. Consent must be:

• Obtained through the consumer’s clear, affirmative action
• Freely given
• Specific
• Informed
• Reflect the consumer’s unambiguous agreement.

How can PrivacyCare help?

To cost-effectively ensure you are complying with privacy regulations, you need to track consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, you risk costly penalties and reputational damage.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

Get started with PrivacyCare for help with your data privacy compliance for CPA.