On April 12, 2022, the Colorado Department of Law (the “Department”) released its Pre-Rulemaking Considerations for the Colorado Privacy Act (the “CPA”), following state Attorney General Phil Weiser’s remarks at the International Association of Privacy Professionals’ (IAPP) Global Privacy Summit in Washington, D.C. The Department seeks informal input on several topics in addition to general comments on the CPA. Comments may be provided until the end of August 2022 by using the CPA Comment Form and attending a series of to-be-scheduled informal listening sessions.
The Department seeks to promulgate rules that “promote consumer rights,” “clarify ambiguities” in the CPA, “facilitate efficient and expeditious compliance” with the CPA, “harmonize” the CPA requirements with other state, national, and international frameworks, and “allow for innovation.”
In its Pre-Rulemaking Considerations, the Department highlighted the following topics on which it believes will be particularly beneficial for the Department to receive feedback. The Department also posed specific questions on these topics that may be found in the Pre-Rulemaking Considerations.
- Universal Opt-Out. The CPA requires the Attorney General to issue rules describing the technical specifications for one or more universal mechanisms to allow a consumer to opt out of the processing of personal data for targeted advertising or the sale of personal data. During his IAPP remarks, Attorney General Weiser indicated that he preferred a principle-based approach that would allow interoperability with requirements of other jurisdictions (as opposed to a prescriptive approach).
- Consent. The Department seeks input on further defining and describing “consent.” The CPA defines “consent” as a “clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement….” The CPA requires controllers to obtain consent prior to processing (i) sensitive data (including children’s data), (ii) personal data for secondary use (i.e., for purposes not reasonably necessary to or compatible with the purposes specified to consumers), and (iii) personal data for targeted advertising or data sales if the consumer has opted out of such processing.
- Dark Patterns. Further to the topic of consent, the Department is considering issuing rules governing dark patterns, including providing standards to guide design choice to avoid the inadvertent use of dark patterns. The CPA defines a “dark pattern” as a “user interface designed or manipulated with the substantial effect of subserving or impairing user autonomy, decision-making, or choice.” Agreement obtained through dark patterns does not constitute consent.
- Data Protection Assessments (DPAs). The Department is soliciting input for pre-rulemaking on DPAs, including on the form and content of DPAs, whether DPAs that are compliant with other jurisdictions should be compliant under CPA, the circumstances in which the Department should request DPAs, and the permissible scope of a DPA that covers a “comparable set of processing operations that include similar activities.”
- Profiling and “Legal or Similarly Significant Effects.” The Department is considering rules that would govern the CPA’s right to opt out of “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” “Profiling” refers to “any form of automated processing of personal data” for certain purposes. The right to opt out of profiling raises concerns of an overly broad opt-out right that could include within its scope processing with automated and manual components. During his IAPP remarks, Attorney General Weiser declined to commit to limiting the right to opt out of profiling to processing that is fully automated.
- Opinion Letters and Interpretive Guidance. The CPA provides that, by January 1, 2025, the Attorney General may adopt rules governing the process of issuing opinion letters and interpretive guidance to “develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA.” Beyond procedural rules, the Department seeks input on the “type of interpretive guidance” that the rules should provide.
- Offline and Off-Web Collection of Data. The Department requested comments to develop rules governing the processing of offline data collection, including whether the technical specifications for the universal opt-out mechanism should cover personal data collected offline.
- Protecting Coloradans in a National and Global Economy. The Department solicits input on how it can protect Colorado residents while addressing consumer confusion and compliance challenges that may arise from emergence of numerous state comprehensive privacy laws.
After the pre-rulemaking process ends in August 2022, the Department will begin formal notice-and-comment rulemaking by issuing a notice of rulemaking and accompanying draft regulations. The formal rulemaking process will include at least one formal hearing and the opportunity to submit comments that will be included in the rulemaking record. The Privacy, Cyber & Data Strategy Team will continue to provide updates on CPA rulemaking as they are released.