On April 12, 2022, the Colorado Attorney General’s Office released “Pre-Rulemaking Considerations for the Colorado Privacy Act,” which provides a series of topics and questions for which the office seeks informal public feedback.1 Here is what you need to know:
- The Colorado Attorney General’s Office is currently seeking informal input to guide its future rulemaking efforts. While, at this phase, public input will not be considered part of the official rulemaking record, the AG’s office “hopes to hear from a diverse group of stakeholders to guide the drafting of balanced and impactful regulations.”
- The AG’s office identified eight specific topics—each with several targeted questions—for which “pre-rulemaking feedback will be particularly beneficial.” However, the public is permitted to offer input on any aspect of the upcoming rulemaking.
- Feedback is being collected through a publicly available comment form and at a series of informal listening sessions.
- This fall, the AG’s office will begin the formal notice-and-comment rulemaking by providing a notice of rulemaking and accompanying draft regulations.
The “Pre-Rulemaking Considerations” indicate that the AG’s office is particularly interested in comments on the following eight topics relating to its Colorado Privacy Act (ColoPA) rulemaking activities:
- Universal Opt-Out. As part of the Colorado AG’s authority to “adopt rules that detail the technical specification for one or more” universal opt-out mechanisms, the office invites general feedback “about the level of specificity with which to approach this task.” In addition, six specific questions were identified, including, for example: whether the rules should point to specific protocols or proposed specifications as exemplars; how to elaborate on the requirement that the “rules must not adopt a mechanism that is a default setting”; and whether rules should remain “strictly technology neutral” or, alternatively, discuss specific considerations tailored to different categories of tools that could service as an universal opt-out, such as browsers, operating system settings, and browser add-ons.
- Consent. The ColoPA requires consent to process consumer data in specific circumstances, such as prior to the processing of a consumer’s sensitive data. To this end, the AG’s office identified seven questions to assist with developing regulations regarding consumer consent. Questions included, for example, whether specific frameworks, guidance documents, or court decisions from similar legal regimes could help articulate the standards for consent, and what common methods of obtaining consent currently in use meet the ColoPA’s standards.
- Dark Patterns. The AG’s office posed five questions about regulating “dark patterns,” which the ColoPA defines as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” For example, the AG’s office is interested in understanding what standards or principles would best guide design choice to help avoid the inadvertent use of dark patterns and whether potential rules should outline specific types of dark patterns that would be prohibited.
- Data Protection Assessments (DPAs). The ColoPA provides that a “controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities … that present a heightened risk of harm to a consumer,” such as processing for targeted advertising and selling personal data. Controllers are required to provide these DPAs to the AG upon request. The office asked six questions about its approach to providing regulations on the ColoPA’s DPA requirement, including: the circumstances in which the AG should request a DPA; how much and what type of guidance any rules should provide with respect to a DPA’s form and content; whether Colorado should consider DPAs to be compliant when they have been conducted for and are compliant with another regime; and what information DPAs should contain with respect to processing for the purpose of profiling.
- Profiling and “Legal or Similarly Significant Effects.” With respect to a Colorado consumer’s right to “opt out of … profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer,” the AG’s office identified eight questions. For example, the AG’s office asked about the potential negative impacts of immediately opting a consumer out of profiling that produces legal or similarly significant effects upon request, and what, if any, special considerations may apply to opting out of profiling in the specific areas outlined by the statute (e.g., provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, etc.).
- Opinion Letters and Interpretive Guidance. The AG’s office asked four questions to assist with adopting rules governing a process to issue opinion letters and interpretive guidance, such as what the process of obtaining interpretive guidance should look like and what level and form of disclosure or public notification of such opinion letters or guidance is appropriate to maximize compliance.
- Offline and Off-Web Collection of Data. With respect to data collected through non-electronic methods, the AG’s office posed four questions to guide drafting regulations about the offline collection and use of personal data, including whether universal opt-out mechanism technical specifications should cover personal data collected offline and what challenges exist with fulfilling controller obligations when conducting offline information collection and processing.
- Protecting Coloradans in a National and Global Economy. Recognizing that the ColoPA coexists with similar laws in other local, state, national, and foreign jurisdictions, the AG’s office posed four questions to understand both how the ColoPA compares to other privacy regimes and to identify the specific privacy interests the people of Colorado tend to emphasize.
The “Pre-Rulemaking Considerations” expressly calls for comments about the topics and questions outlined above, but invites the public to submit additional input relating to the ColoPA that should be considered during the rulemaking process. Additional input may include, but is not limited to, “areas that may need further guidance or clarity, areas that may be confusing to consumers, consumer rights request or compliance obstacles, the impact of the law on business operations, and any information, analysis, or examples that can further illustrate or support any comments or positions.”
Also on April 12, in his remarks at the International Association of Privacy Professionals Global Privacy Summit, AG Phil Weiser previewed the “Pre-Rulemaking Considerations” and detailed five principles guiding his office’s rulemaking efforts, which, notably, include a desire “to make Colorado’s requirements harmonious and interoperable with requirements adopted by other jurisdictions.” In addition, AG Weiser discussed three of the eight topics identified above that his office believes will present “cutting edge challenges” during the rulemaking process. These topics include regulations concerning universal opt-out mechanisms, dark patterns, and data protection assessments. In his remarks, AG Weiser reiterated that the formal rulemaking process will begin in the fall.
For more information or advice concerning the ColoPA, please contact Tracy Shapiro, Eddie Holman, Clinton Oxford, or any member of the firm’s privacy and cybersecurity practice.
We previously covered the Colorado Attorney General’s roadmap for the rulemaking process in a Wilson Sonsini Alert, “Colorado Attorney General Announces Privacy Rulemaking.” We also provided an overview of the ColoPA’s key requirements in a second Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”