The Colorado Attorney General (AG) has recently issued two rounds of revisions to its comprehensive set of regulations implementing the Colorado Privacy Act (CPA) – the first on December 21, 2022, and the second on January 27, 2023 (available here). The next hearing on the current set of proposed rules (and the deadline for submitting comments on the rules) is set for 10 AM MST on February 1, 2023. It’s unclear whether the AG will release further sets of revised rules as a result of this hearing.
If you’re interested in seeing where the regulations started, take a look at our prior post in October. Below we discuss some of the major revisions that have taken place since the original draft in October.
Duty of Care
While the original regulations imposed a general duty on Controllers to protect the personal data they process, the revisions add considerably more detail about the scope of this duty. Controllers must process personal data in a way that ensures “reasonable” (not just “appropriate”) administrative, technical, organizational, and physical safeguards. The safeguards are now required to be designed not only to protect against unauthorized access and accidental loss, destruction, or damage to personal data, but also to ensure the confidentiality, integrity, and availability of personal data, identify and protect against reasonably anticipated security and integrity threats, and ensure compliance with internal policies. However, Controllers are permitted to take into account a variety of factors in determining what safeguards are ”reasonable,” including but not limited to the nature and sensitivity of the data and the cost/burden of implementation.
Consumer Rights
Universal Opt-out Mechanism. The revised regulations preserve a consumer’s right to utilize a Universal Opt-Out Mechanism (UOOM) (e.g., a browser-based opt-out signal), but clarify that the UOOM need not be tailored to or reference the Colorado Privacy Act, stating that a UOOM that permits consumers to exercise “any and all opt-out rights available to you under state laws” is sufficient.
In addition, the Colorado Department of Law will release the public list of approved UOOMs on January 1, 2024 (pushed forward from the original release date of April 1, 2024). The AG has added a six-month grace period for controllers to recognize all UOOMs added to the list.
Right to Access; Trade Secrets. The revised regulations clarify that the “personal data” that a consumer has the right to receive from a Controller in response to an access request includes “profiling decisions, inferences, derivative data, and other personal data created by the Controller” that is linked to the individual. Consumers also have the right to receive such data in a “portable format.”
The revisions introduce two caveats to this right related to the protection of trade secrets. If providing data in a portable format would reveal trade secrets, Controllers may provide the data in a “format or manner which would not reveal [the] trade secrets, such as in a nonportable format.” In addition, if a Controller possesses raw personal data and inferences or derived data based on the raw data, and if sharing both the raw data and the inferences/derived data would reveal a trade secret, the Controller can choose to disclose either the raw data or the inferences/derived data, as long as it is clear to the consumer that the Controller possesses both types of personal data. This may help Controllers protect the mechanisms by which they reach inferences or derived data by, for example, reducing the likelihood that raw and derived data could be used to reverse-engineer the process.
Other Topics
Two other notable changes are:
- DPIAs. Some of the topics that a DPIA must address have been softened. For example, Controllers must still consider a consumer’s reasonable expectations about how their data is processed, but Controllers have more liberty to determine the appropriate basis of such expectations. Controllers must still weigh the benefits of processing against the risks, but the nature of the benefits is less prescribed. And the manner of obtaining consent and allowing consumers to exercise rights must be considered, but the requirement is less detailed than before.
- Consent. The refresh requirement has been relaxed. Previously, Controllers had to solicit refreshed consent “at regular intervals.” This has been changed to only require refreshes when both (1) the Controller has not interacted with the consumer in the prior 12 months and (2) the data is either sensitive or being used for a secondary use that involves profiling for certain decisions that significantly affect people’s rights (e.g., financial, housing, or employment decision). Thus, Controllers will only need to refresh consent in very limited situations.
The draft regulations may undergo further revisions prior to being finalized. We will continue to track the regulatory process and provide further updates on any significant revisions.