On December 21, 2022, the Colorado Attorney General (“AG”) issued its latest set of draft regulations for the Colorado Privacy Act, which takes effect on July 1, 2023. The draft regulations revise an earlier set published on October 10, 2022. While not yet final, these reflect a number of positive changes for companies, as well as additional detail on key areas including consent refresh, profiling, and controller duties. The most notable changes include:

Consent. Unlike the earlier draft regulations which offered little detail on refreshing consumer consent, the latest draft regulations provide some clarity. A controller must refresh consent when the consumer has not interacted with the controller in the prior twelve months and (1) the controller is processing sensitive data; or (2) the controller is processing personal data for a secondary use that “involves profiling for a decision” (discussed further below). However, controllers are not required to refresh consent where a consumer has access and is able to update opt-out preferences “at any time through a user controlled interface.”

Profiling. The most recent draft regulations address profiling for specific activities, adding some detail to a previously vague area. Controllers must allow consumers the right to opt out of profiling which leads to the “furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.”

Duties of Controllers. In the latest version of the draft regulations, controllers are no longer required to include information specific to each processing purpose. Rather, information must be “linked in a way that gives consumers a meaningful understanding of how their personal data will be used when they provide that personal data to the controller for a specified purpose.” Additionally, the draft regulations provide more detailed requirements for safeguarding personal data, listing various factors that controllers must consider, such as “applicable industry standards and frameworks” and “the sensitivity and amount of personal data.”

Consumer Personal Data Rights. The draft regulations revise the existing personal data rights by adding more details. Among other changes, the right of access will require controllers to provide consumers with all “specific pieces of personal data” including “final profiling decisions, inferences, derivative data, and other personal data created by the controller which is linked or reasonably linkable to an identified or identifiable individual.” For the right to correction, the draft regulations address the potential compliance issues resulting from personal data stored on backup systems.

Universal Opt-Out Mechanism. Consumers continue to have a clear right to opt out of the processing of personal data. However, companies should note that the new regulations move up the date for establishing a public list of universal opt-out mechanisms from April 1, 2024 to January 1, 2024. The Colorado Department of Law will allow controllers six months to recognize any added universal opt-out mechanisms to the public list.

Data Protection Assessments. The latest draft significantly revises the requirements for what controllers must include in data protection assessments, simplifying the process for companies. For example, instead of including the specific purpose for processing personal data, controllers are instead required to provide a short summary of processing activity.

Definitions. The draft regulations revised several previously proposed definitions, while adding new defined terms. For example, the definition for “biometric identifiers” now includes “characteristics that can be processed for the purpose of uniquely identifying an individual.” Additionally, the Colorado AG updated the list of definitions by adding new defined terms, such as “employee,” “employer,” and “employment records.”

What does this mean for companies?

Given the significant changes that may be included in the new regulations, companies should take steps to prepare now. While some of these changes do simplify compliance, others add new complexity. Companies that are updating their current policies and practices to comply with the new state privacy laws in California and Virginia should review the Colorado draft regulations to ensure consistency and compliance with all state privacy laws. However, as these regulations are not yet final, there may be further changes, so ongoing engagement remains necessary.

The Colorado AG is accepting comments until January 18, 2023, ahead of a public rulemaking hearing on February 1, 2023. In addition to general feedback and input on controllership issues and definitions, the Colorado AG’s Office has specifically sought input on issues including verifying consumer personal data rights through IP addresses; a universal opt-out mechanism; and bona fide loyalty programs.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new rules and regulations like those outlined here. If you have any questions concerning these rules or any other data privacy or cybersecurity laws or regulations, please do not hesitate to contact any member of our team.