We have written previously regarding Colorado’s adoption of the Colorado Privacy Act (CPA)—describing its provision of consumer data rights, how it may function within the context of the cannabis industry, and how business might consider the law as they renew their insurance coverage. And all this before the state released regulations accompanying the CPA.
On March 15, 2023, the Colorado Attorney General filed the final rules implementing the CPA to go into effect July 1, 2023. The following finalized rules are noteworthy—both for their technical specificity and their uniqueness. (Note: Capitalized words have specific definitions under either the CPA or the regulations.)
Universal Opt-Out Mechanisms. Companies must provide Consumers the opportunity to opt out of the sale or processing of their Personal Data for purposes of targeted advertising. A consumer may use a universal opt-out signal (generally through their web browser) that allows them to communicate automatically that they opt out of the sale or processing of their Personal Data with all Controllers at once. The Rules dictate that companies have some mechanism that recognizes that Consumer’s preferences and meets certain technical requirements (for example, default settings and authentication). The Rules announce that the Colorado Department of Law will maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet these technical requirements; the list will be available no later than January 1, 2024.
Privacy Notices. Controllers must provide a privacy notice giving consumers a “meaningful understanding and accurate expectations of how their Personal Data will be Processed.” Such a notice must identify the categories of Personal Data Processed, the Processing purpose, and whether the Personal Data that a consumer provides for a specific purpose will be sold or used for Targeted Advertising or Profiling (more on that below).
Loyalty Programs. If a consumer opts out of the sale of their personal data or processing for targeted advertising, and that data was needed for a “Bona Fide Loyalty Program Benefit,” the Controller no longer needs to provide that benefit. However, if the loyalty program offers benefits that are unrelated to the exchange of the Consumer’s Personal Data, the Controller must provide those benefits.
Valid Consent. Controllers must obtain valid Consumer Consent before processing or selling Consumer Data. The rules lay out the required elements for a valid consent: it must (1) be obtained through the Consumer’s clear, affirmative action; (2) be freely given; (3) be specific; (4) be informed; and (5) reflect the Consumer’s unambiguous agreement. The Rules lay out the characteristics of each of the elements.
User Interface Design and Dark Patterns. Perhaps one of the most unique features of the Rules is the specificity with which it describes the design principles Controllers should use to obtain Consent. Regarding design principles, the Rules say that “[c]onsent choice options should be presented to Consumers in a symmetrical way that does not impose unequal weight or focus on one available choice over another such that a Consumer’s ability to consent is impaired or subverted.” Further, consent choices should not use manipulative language or visuals designed to trick consumers (“dark patterns”). Buttons that say (as the Rules illustrate) “I accept, I want to help endangered species” or “No, I don’t care about animals,” would constitute manipulation. The rules list several other design principles that help ensure that Consumers are able to make informed decisions regarding whether or not to Consent to sharing their Personal Data.
Data Protection Assessments. The Rules require that a data protection assessment identify and describe risks to consumers associated with processing of their data, document measures considered and taken to offset those risks, the benefits of the Processing, and a demonstration that the Processing outweigh the risks offset by safeguards. Controllers must use the scope of the risk presented, the size of the Controller, and the amount and sensitivity of the Personal Data Processed to determine what the data protection assessment should look like.
Profiling Opt-Out Transparency. If a Controller is Processing Personal Data for Profiling (a form of automated processing of personal data to predict certain things about the Consumer such as their interests, personal preferences, health, or wealth status), its data protection assessment must include certain information. That information includes an explanation of the decision to use Profiling, an explanation of the training data and logic used to create the Profiling system, and how the Profiling system is evaluated for fairness and disparate impact, and the results of any such evaluation.
While these aspects of the CPA are particularly noteworthy, the CPA does not have a section that identifies the responsibilities of Third Parties that may encounter Consumer Personal Data. Additionally, enforcement is left exclusively to the Colorado Attorney General and district attorneys. That being the case, enforcement for violations may be slow going at the start.
Time will tell how these new (and specific) Rules influence the ways in which companies operate in Colorado and beyond.