InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado releases draft Colorado Privacy Act rules
On September 29, the Colorado attorney general published proposed draft Colorado Privacy Act (CPA) rules with the Colorado Department of Regulatory Agencies. (See Colorado Register here.) As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights. The CPA provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism.
Pre-rulemaking considerations were released in April, where the AG’s office stated that it planned to adopt a principle-based model for the state’s rulemaking approach, rather than a prescriptive one (covered by InfoBytes here). Comments received on the pre-rulemaking considerations, as well as feedback received during two public listening sessions, were considered when drafting the proposed rules. The AG’s office explained that when considering feedback it sought to clarify the CPA, simplify compliance, and ensure consumer privacy rights granted by the statute are protected, while also attempting to create a legal framework that “does not overly burden technological innovation” while operating in conjunction with other national, state, and international data privacy laws.
- Definitions. The proposed rules add new terms aside from those already set forth in the CPA. These include terms related to biometric data and identifiers (including behavioral characteristics), bona fide loyalty programs, data brokers, automated processing, publicly available data, opt-out purposes and mechanisms, sensitive data inferences, and solely automated processing. The term “sensitive data inferences” indicates an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Controllers must obtain consent to process sensitive data inferences unless they meet specific requirements. Additionally, controllers must comply with certain retention and deletion requirements for this type of information.
- Disclosures. The proposed rules provide that disclosures, notifications, and other communications to consumers must be clear, accessible, and understandable, and must be available in the languages in which the controller would ordinarily do business, as well as be accessible to consumers with disabilities (online notices should generally follow recognized industry standards such as version 2.1 of the Web Content Accessibility Guidelines).
- Consumer personal data rights. The proposed rules outline requirements for submitting data rights requests, including through online and in-person methods, and requires controllers to use reasonable data security measures when exchanging information. Among other things, requests should be easy to execute, require a minimal number of steps, and not require a consumer to create a new user account. Notably, a data rights request method does not have to be specific to Colorado, provided it “clearly indicates which rights are available to Colorado consumers.” Controllers must also provide instructions on how to appeal a data rights request decision.
- Opt-out rights and mechanisms. Under the proposed rules, controllers must cease processing a consumer’s personal data for opt-out purposes as soon as feasibly possible but no later than 15 days after the request is received (authorized agents may exercise a consumer’s opt-out right provided certain criteria is met). A record of opt-out requests and responses also must be maintained. Clear and conspicuous opt-out methods must be provided in a controller’s privacy notice, as well as in a readily accessible location outside the privacy notice “at or before the time” the personal data is processed for opt-out purposes. The proposed rules also provide that the Colorado Department of Law will maintain a public list of universal opt-out mechanisms that have been recognized by the AG’s office as meeting the required standards. The proposed rules also provide details for deployment, and state that ease of use, implementation, and detection, among other factors will be considered when determining which universal opt-out mechanisms will be recognized. Additionally, the proposed rules state that a universal opt-out mechanism may also be a “do not sell list” that controllers query in an automated manner.
- Right of access, and right to correction, deletion, and data portability. The proposed rules outline controller requirements for handling consumers’ requests to access, correct, or delete their personal data, as well as instructions for complying with data portability requests. The proposed rules also consider instances where personal data may be corrected more quickly and easily through account settings than through the data rights review process.
- Data minimization. Under the proposed rules, controllers would be required to “specify the express purposes” for which personal data is collected and processed in a manner that is “sufficiently unambiguous, specific, and clear.” Controllers must also consider each processing activity to determine whether it meets the requirement to use only the minimum personal information necessary, adequate, or relevant for the express purpose.
- Data protection assessments. The proposed rules provide a list of 18 elements for controllers to include when assessing whether a processing activity presents a “heightened risk of harm,” including the specific purpose of the processing activity, procedural safeguards, alternative processing activities, discrimination harms, and the dates the assessment was reviewed and approved. The proposed rules also require that these assessments be revisited and updated at least annually in certain instances for fairness and disparate impact. Assessments are required for activities conducted after July 1, 2023, and are not retroactive.
- Profiling. Under the proposed rules, controllers are obligated to clearly inform consumers when their personal data is being used for profiling. Consumers must also have the right to opt out of profiling in connection with decisions that result in legal or similar effects on consumers, and controllers that engage in profiling must provide additional disclosures in their privacy notices. A controller may deny a consumer’s request to opt out if there is human involvement in the automated processing, but is required to provide additional notice in such cases.
The proposed rules also contain provisions addressing requirements for refreshing consent, how data right requests impact loyalty programs and the disclosures that are required for these programs, and how a consumer’s right to delete might impact a controller’s ability to provide program benefits.
Comments on the proposed rules will be accepted between October 10 and February 1, 2023. On February 1, a proposed rulemaking public hearing will be held to hear testimony from stakeholders.
Colorado issues remote work guidance to collection agencies
On August 19, the Colorado attorney general published updated guidance on remotely working for employees of entities regulated by the Consumer Credit Unit. Memorandum HB 22-1410, which was signed by the governor on June 7, amended Colorado’s Uniform Consumer Credit Code so that a supervised lender licensee may permit its employees to work from a remote location, so long as the licensee complies with certain requirements. The memorandum also provided that the March 2020 guidance issued by the Consumer Credit Unit Administrator for employees of regulated entities during the COVID-19 pandemic “remains in effect for regulated entities not covered by HB22-1410, including collection agencies, debt management providers, and student loan servicers, and will remain in effect until the last day of the 2023 legislative session of the 74th General Assembly, May 10, 2023.” The memorandum also noted that “due to concerns regarding the COVID-19 outbreak, individuals who work for regulated entities may be required, or wish, to work from home to avoid further spread of the outbreak, even though their homes are not licensed as branches.”
The memorandum also disclosed that the state will not take any administrative, disciplinary, or enforcement actions for individuals working at home in what are technically unlicensed branches as long as certain criteria are met: (i) “The Colorado activity is conducted from the home location of an individual working on behalf of an entity who is licensed, registered, or files notification with the Administrator”; (ii) “The individual is working from home due to a reason connected to the Covid-19 outbreak and has informed the regulated entity in writing”; (iii) “None of the Colorado activity will be conducted in person with members of the public at the home location”; (iv) “Individuals working from home will not advertise, receive official mail directly, or permanently store any books or records at their remote location”; (v) “The Colorado licensee shall at all times exercise reasonable supervision of the licensable activity being performed at the home office and ensure sufficient safeguards to protect consumer information and data security”; and (vi) “The individual ceases conducting the activity from the home location as soon as reasonably possible, consistent with recommendations from the CDC, CDPHE, and applicable state health departments.”
Colorado reminds collection agencies about medical law
On August 16, the Colorado attorney general published a memorandum reminding collection agency licensees and interested parties that HB21-1198 becomes effective September 1. HB21-1198, among other things, amends the Colorado Fair Debt Collection Practices Act to add a new unfair practice—attempting to collect a debt that violates certain HB21-1198 requirements. The bill also creates requirements for notice and certain limitations on collections of medical debt. Specifically, the bill enacts healthcare billing requirements for indigent patients who are treated, but not reimbursed, through the state’s indigent care program and sets forth requirements before any collection proceeding may be initiated against an indigent patient.
Colorado enacts medical debt collection bill
On June 9, the Colorado governor signed HB 1285, which prohibits hospitals from taking certain debt collection actions against a patient if the hospital is not in compliance with hospital price transparency laws. Specifically, the bill prohibits hospitals that are not in compliance with a price transparency rule that went into effect in January 2021 from placing debts with third-party collection agencies, filing lawsuits to collect on unpaid debts, and reporting debts to credit reporting agencies. The bill also establishes that a patient may file suit if they believe that a hospital was not in material compliance with price transparency laws.
Colorado seeks comments on privacy rulemaking; draft regulations to come this fall
Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA on business or other operations, cost concerns, and any underlying or related research or analyses.” As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters. Finally, the AG has authority to develop technical specifications for at least one universal opt-out mechanism.
The AG’s office stated that it plans to adopt a principle-based model for the state’s rulemaking approach rather than a prescriptive one, and outlined five principles intended to help implement the CPA:
- rules should protect consumers and help consumers understand and exercise their rights;
- rules should clarify ambiguities as necessary to promote compliance and minimize unnecessary disputes;
- rules should facilitate efficient and expeditious compliance by ensuring processes are simple and straightforward for consumers, controllers and processors, and enforcement agencies;
- rules should facilitate interoperability and allow the CPA to function alongside protections and obligations created by other state, national, and international frameworks; and
- rules should not be unduly burdensome so to as to prevent the development of adaptive solutions to address challenges presented by advances in technology.
The pre-rulemaking considerations laid out several questions for input related to topics addressing universal opt-out mechanisms, consent for processing consumer data in specific circumstances, dark patterns, data protection assessments that screen for heightened risk of harm, the effects of profiling on consumers, opinion letters and interpretive guidance, offline and off-web data collection, and differences and similarities between the CPA and laws in other jurisdictions. A formal notice of rulemaking and accompanying draft regulations will be issued this fall. Comments may be submitted through the AG’s portal here.
Colorado reaches agreements with credit unions over unused GAP fees violations
Recently, the Colorado attorney general announced three separate settlements (see here, here, and here) with three credit unions resolving allegations that they neglected to refund unearned Guaranteed Automobile Protection (GAP) fees to Colorado consumers. The administrator of the Uniform Consumer Credit Code (UCCC), who is part of the Consumer Protection Division of the Department of Law and who led this investigation, concluded that the credit unions engaged in unfair and deceptive trade practices under the Colorado Consumer Protection Act by failing to provide GAP refunds automatically without waiting for a request from the consumer. Under the terms of the assurances of discontinuance, the credit unions have agreed to comply with all legal obligations and issue refunds to affected borrowers, and: (i) must comply with the UCCC rule’s GAP refund requirements; (ii) are subjected to an audit to verify the accuracy of their self-audits; and (iii) must send a confirmation letter pre-approved by the administrator to each consumer to whom a GAP refund was paid because of the self-audits. The AG noted that the “settlements are part of our office’s efforts to ensure lending institutions follow Colorado law and do not cheat hardworking consumers out of money they are entitled to under their lending and coverage agreements.”
Colorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The Colorado AG has enforcement authority for the CPA, which does not have a private right of action. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024.
AG Phil Weiser stated that, by this fall, his office will post a formal Notice of Proposed Rulemaking, including a proposed set of model rules, with the goal of adopting a final rule roughly a year from now. AG Weiser also outlined best practices that will be weighed in determining whether a company is acting reasonably to safeguard sensitive information. Notably, the AG’s office will first evaluate whether a company has identified the types of data it collects and established a system for storing and managing that data (including disposal procedures). Considerations will then be made as to whether the company has a written information security policy and a written data incident response plan. The AG’s office will also examine a company’s practices for monitoring vendors’ data security measures. AG Weiser also referenced the recently released Data Security Best Practices guidance, which outlines key steps companies should take to protect consumer data, including ways to adopt information security and incident response policies, train employees on mitigating and responding to cybersecurity attacks, and notify appropriate parties in the event of a data breach, among other topics.
FDIC announces Washington, Arkansas, and Colorado disaster relief
On January 12, the FDIC issued FIL-05-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Washington state affected by flooding and mudslides. The FDIC acknowledged the unusual circumstances faced by institutions and their customers affected by the severe weather events in certain counties of Washington and suggested that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” The FDIC noted that it will consider the unusual circumstances when examining efforts to work with borrowers in affected communities and that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements. Earlier on January 5, the FDIC also issued FIL-01-2022 and FIL-02-2022 to provide the same regulatory relief to financial institutions and help facilitate recovery in areas of Arkansas and Colorado affected by severe storms, tornados, winds, and wildfires.
Student loan servicer agrees to produce requested records
On September 28, the Colorado attorney general announced that a Pennsylvania-based student loan servicer responsible for handling the federal Public Service Loan Forgiveness (PSLF) program has agreed to comply with a state law requiring consumer protection oversight. As previously covered by InfoBytes, the AG sued the servicer in May for allegedly failing to comply with state law when asked to provide certain documentation related to the servicer’s handling of the PSLF program during the Covid-19 pandemic. The servicer allegedly refused to produce the requested materials and only provided certain limited documents regarding non-government owned loans related to its business line. Under the terms of the assurance of discontinuance, the servicer (while denying any liability) has agreed to produce the requested records in compliance with the Colorado Student Loan Equity Act.
Colorado announces settlement with auto lender
On September 10, the Colorado attorney general announced a settlement with a Texas-based auto lender (defendant) resolving allegations of lending practices that allegedly exposed consumers to unnecessarily high levels of risk and knowingly placed consumers into auto loans with a high probability of default, which violated Colorado’s consumer protection laws, among other things. Under the terms of the assurance of discontinuance, the defendant must amend its origination and collection practices, including by, among other things: (i) rescinding consumers’ debt on certain loans; (ii) attempting to repurchase any loans that may be held by third parties; and (iii) setting a reasonable debt-to-income threshold to ensure that the defendant is reasonably evaluating a consumer’s ability to pay.