The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”). These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th. The Attorney General will convene a formal rulemaking hearing on February 1, 2023. In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration.
The revised Draft Rules incorporate a number of edits to the prior draft, including changes to the following terms and requirements:
- Biometric Data & Identifiers: The Draft Rules revise the definition of Biometric Identifiers to “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be Processed for the purpose of uniquely identifying an individual…” The definition of Biometric Data is retained as “Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes.”
- Publicly Available Information: The Attorney General’s office revised the definition of Publicly Available Information to remove from its scope “[i]nferences made exclusively from multiple independent sources of publicly available information.”
- Changes to a Privacy Notice: The Draft Rules require notice of “substantive or material changes” to a privacy notice and removes the requirement to provide such notice 15 days in advance. The Draft Rules define the types of circumstances that would constitute a “substantive or material change” to include (but are not limited to) changes to the categories of personal data processed, processing purposes, controller’s identity, sharing personal data with third parties, the identity of affiliates, processors, or third parties personal data is shared with, and methods by which consumers can exercise their consumer rights requests. If the change constitutes processing data for a secondary use, the Attorney General amended the Draft Rules to require consent.
- Refreshing Consent: The Draft Rules limit the circumstances that require controllers to refresh consent to those where the consumer “has not interacted” with the controller in the prior twelve months and the controller is processing (1) sensitive data pursuant to consent or (2) processing personal data for a secondary use that involves profiling for a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services. The Draft Rules also note that the controller need not refresh consent if the consumer has the ability to “update their opt-out preferences at any time through a user controlled interface.”
- Universal Opt-Out Mechanisms: The Draft Rules incorporate a number of changes to the discussions regarding the universal opt-out mechanisms. For example, the Draft Rules were amended to remove discussion of the “do not sell” list as a potential universal opt-out mechanism.
- Data Processing Assessments: The Draft Rules make a number of changes to the required considerations that must be included in a data protection impact assessment, including removing the requirement to consider how the processing is adequate, relevant, and limited to what is reasonably necessary. The Draft Rules add new considerations that must be addressed, including required assessments of the reasonable expectations of consumers, the sources of personal data, and the technology to be used. Regarding data protection assessments that assess profiling, the Draft Rules add that an assessment undertaken under another jurisdiction’s law or regulation is sufficient if that data protection assessment is “reasonably similar in scope and effect.”