Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Colorado finalizes privacy rules

    Privacy, Cyber Risk & Data Security

    On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.

    Privacy, Cyber Risk & Data Security State Issues Colorado State Regulators Colorado Privacy Act State Attorney General Agency Rule-Making & Guidance

  • Colorado releases privacy act updates

    Privacy, Cyber Risk & Data Security

    Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).

    The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:

    • Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
    • Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
    • Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
    • Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
    • Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
    • Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
    • Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
    • User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”

    Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.

    On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register. 

    Privacy, Cyber Risk & Data Security State Issues State Attorney General Colorado Colorado Privacy Act Consumer Protection

  • Colorado releases second draft of Colorado Privacy Act rules

    Privacy, Cyber Risk & Data Security

    On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).

    The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:

    • Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
    • Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
    • Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
    • Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
    • Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
    • Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
    • Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.

    Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.

    Privacy, Cyber Risk & Data Security State Issues State Attorney General Colorado Colorado Privacy Act Agency Rule-Making & Guidance

  • Colorado releases draft Colorado Privacy Act rules

    Privacy, Cyber Risk & Data Security

    On September 29, the Colorado attorney general published proposed draft Colorado Privacy Act (CPA) rules with the Colorado Department of Regulatory Agencies. (See Colorado Register here.) As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights. The CPA provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism.

    Pre-rulemaking considerations were released in April, where the AG’s office stated that it planned to adopt a principle-based model for the state’s rulemaking approach, rather than a prescriptive one (covered by InfoBytes here). Comments received on the pre-rulemaking considerations, as well as feedback received during two public listening sessions, were considered when drafting the proposed rules. The AG’s office explained that when considering feedback it sought to clarify the CPA, simplify compliance, and ensure consumer privacy rights granted by the statute are protected, while also attempting to create a legal framework that “does not overly burden technological innovation” while operating in conjunction with other national, state, and international data privacy laws.

    • Definitions. The proposed rules add new terms aside from those already set forth in the CPA. These include terms related to biometric data and identifiers (including behavioral characteristics), bona fide loyalty programs, data brokers, automated processing, publicly available data, opt-out purposes and mechanisms, sensitive data inferences, and solely automated processing. The term “sensitive data inferences” indicates an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Controllers must obtain consent to process sensitive data inferences unless they meet specific requirements. Additionally, controllers must comply with certain retention and deletion requirements for this type of information.
    • Disclosures. The proposed rules provide that disclosures, notifications, and other communications to consumers must be clear, accessible, and understandable, and must be available in the languages in which the controller would ordinarily do business, as well as be accessible to consumers with disabilities (online notices should generally follow recognized industry standards such as version 2.1 of the Web Content Accessibility Guidelines).
    • Consumer personal data rights. The proposed rules outline requirements for submitting data rights requests, including through online and in-person methods, and requires controllers to use reasonable data security measures when exchanging information. Among other things, requests should be easy to execute, require a minimal number of steps, and not require a consumer to create a new user account. Notably, a data rights request method does not have to be specific to Colorado, provided it “clearly indicates which rights are available to Colorado consumers.” Controllers must also provide instructions on how to appeal a data rights request decision.
    • Opt-out rights and mechanisms. Under the proposed rules, controllers must cease processing a consumer’s personal data for opt-out purposes as soon as feasibly possible but no later than 15 days after the request is received (authorized agents may exercise a consumer’s opt-out right provided certain criteria is met). A record of opt-out requests and responses also must be maintained. Clear and conspicuous opt-out methods must be provided in a controller’s privacy notice, as well as in a readily accessible location outside the privacy notice “at or before the time” the personal data is processed for opt-out purposes. The proposed rules also provide that the Colorado Department of Law will maintain a public list of universal opt-out mechanisms that have been recognized by the AG’s office as meeting the required standards. The proposed rules also provide details for deployment, and state that ease of use, implementation, and detection, among other factors will be considered when determining which universal opt-out mechanisms will be recognized. Additionally, the proposed rules state that a universal opt-out mechanism may also be a “do not sell list” that controllers query in an automated manner.
    • Right of access, and right to correction, deletion, and data portability. The proposed rules outline controller requirements for handling consumers’ requests to access, correct, or delete their personal data, as well as instructions for complying with data portability requests. The proposed rules also consider instances where personal data may be corrected more quickly and easily through account settings than through the data rights review process.
    • Data minimization. Under the proposed rules, controllers would be required to “specify the express purposes” for which personal data is collected and processed in a manner that is “sufficiently unambiguous, specific, and clear.” Controllers must also consider each processing activity to determine whether it meets the requirement to use only the minimum personal information necessary, adequate, or relevant for the express purpose.
    • Data protection assessments. The proposed rules provide a list of 18 elements for controllers to include when assessing whether a processing activity presents a “heightened risk of harm,” including the specific purpose of the processing activity, procedural safeguards, alternative processing activities, discrimination harms, and the dates the assessment was reviewed and approved. The proposed rules also require that these assessments be revisited and updated at least annually in certain instances for fairness and disparate impact. Assessments are required for activities conducted after July 1, 2023, and are not retroactive.
    • Profiling. Under the proposed rules, controllers are obligated to clearly inform consumers when their personal data is being used for profiling. Consumers must also have the right to opt out of profiling in connection with decisions that result in legal or similar effects on consumers, and controllers that engage in profiling must provide additional disclosures in their privacy notices. A controller may deny a consumer’s request to opt out if there is human involvement in the automated processing, but is required to provide additional notice in such cases.

    The proposed rules also contain provisions addressing requirements for refreshing consent, how data right requests impact loyalty programs and the disclosures that are required for these programs, and how a consumer’s right to delete might impact a controller’s ability to provide program benefits.

    Comments on the proposed rules will be accepted between October 10 and February 1, 2023. On February 1, a proposed rulemaking public hearing will be held to hear testimony from stakeholders.

    Privacy, Cyber Risk & Data Security State Issues Colorado Colorado Privacy Act State Attorney General Consumer Protection

  • Colorado seeks comments on privacy rulemaking; draft regulations to come this fall

    Privacy, Cyber Risk & Data Security

    Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA on business or other operations, cost concerns, and any underlying or related research or analyses.” As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters. Finally, the AG has authority to develop technical specifications for at least one universal opt-out mechanism.

    The AG’s office stated that it plans to adopt a principle-based model for the state’s rulemaking approach rather than a prescriptive one, and outlined five principles intended to help implement the CPA:

    • rules should protect consumers and help consumers understand and exercise their rights;
    • rules should clarify ambiguities as necessary to promote compliance and minimize unnecessary disputes;
    • rules should facilitate efficient and expeditious compliance by ensuring processes are simple and straightforward for consumers, controllers and processors, and enforcement agencies;
    • rules should facilitate interoperability and allow the CPA to function alongside protections and obligations created by other state, national, and international frameworks; and
    • rules should not be unduly burdensome so to as to prevent the development of adaptive solutions to address challenges presented by advances in technology.

    The pre-rulemaking considerations laid out several questions for input related to topics addressing universal opt-out mechanisms, consent for processing consumer data in specific circumstances, dark patterns, data protection assessments that screen for heightened risk of harm, the effects of profiling on consumers, opinion letters and interpretive guidance, offline and off-web data collection, and differences and similarities between the CPA and laws in other jurisdictions. A formal notice of rulemaking and accompanying draft regulations will be issued this fall. Comments may be submitted through the AG’s portal here.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Colorado Colorado Privacy Act Consumer Protection

Upcoming Events