The Colorado Attorney General recently released the second set of draft regulations to the Colorado Privacy Act (CPA). In this draft, the AG is seeking specific input on five different topics. There are also a number of changes to the first draft – some of which will be welcomed by businesses. Companies are reminded that the CPA goes into effect July 1, 2023.
Topics for Comment
Overview of Some Notable Changes
- Definitions. There are new and revised definitions. For example, there is a new definition for “employee” and “employment records.” There is also an update to the definition of “biometric identifiers.”
- Notice. This draft removes the requirement that privacy notices be purpose-based. Instead, the processing purpose and type of personal data processed must be linked in a way that gives consumers a meaningful understanding of how their personal data will be used. The previous draft’s “purposed based” requirement differed from requirements in other states and would have made simultaneous compliance difficult. This draft also includes further detail on the “substantive or material” changes to processing that will trigger a requirement to update privacy notices.
- Universal Opt-out Mechanism. The Colorado AG has moved up the date for publishing its initial list of approved opt-out providers from April 2024 to January 2024. Under this draft, businesses would have six months from the date an opt-out signal/provider is recognized by the AG to begin complying with that new signal or provider.
- Security Measures. There are more detail about the obligations to safeguard personal data. For example, organizations will be required to consider “[a]pplicable industry standards and frameworks” when identifying reasonable and appropriate safeguards.
- Consent. The original draft regulations introduced the concept that businesses might have to refresh consumer consent on regular intervals but largely left to a business’ discretion what that interval should be. The new draft regulations now provide that consents must be refreshed when the consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information or (ii) is processing personal data for a secondary data use that involves profiling for a decision that could have a significant effect on the consumer. The draft includes a safe harbor of sorts to the extent consumers have the ability to update their own opt-out preferences at any time, then there is no need to refresh consent.
- Data Protection Assessment Requirements. The most recent changes reduce the substance of what must be in data protection assessments.
Stakeholders have until January 18, 2023 to submit comments to this draft. A rulemaking hearing is set for February 1, 2023. It is anticipated that the final draft will be published in advance of when the law takes effect in July 2023.
Putting it into Practice. Companies working now to make updates for the forthcoming changes in California and Virginia on January 1 may want to consider what aspects are also addressing Colorado requirements.