Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

Colorado releases privacy act updates

Privacy, Cyber Risk & Data Security State Issues State Attorney General Colorado Colorado Privacy Act Consumer Protection

Privacy, Cyber Risk & Data Security

Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).

The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:

  • Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
  • Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
  • Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
  • Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
  • Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
  • Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
  • Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
  • User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”

Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.

On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register.