On January 27, 2023, the Colorado Attorney General’s (Colorado AG) office released the third version of its proposed draft rules (third draft) for the Colorado Privacy Act (ColoPA) based on public comments it received on the modified proposed rules published on December 21, 2022 (second draft).1 During a February 1, 2023, rulemaking hearing, the Colorado AG’s office emphasized that it aimed to incorporate stakeholder feedback, add clarity and flexibility to the regulations, and increase interoperability with other jurisdictions’ privacy regimes. Below are the key takeaways from the changes in the third draft as well as insights from the recent hearing.
Privacy Notice Content
- Rule 6.03(A)(1). The third draft clarifies the requirement that controllers must disclose a “comprehensive description” of their processing practices in the privacy notice, specifying that the standard is to provide a meaningful understanding of how “each category of their Personal Data”—not just “Personal Data” as previously drafted—will be used for a specified processing purpose. This change makes the disclosure rules in the third draft more detailed than those required by the California Consumer Privacy Act (CCPA) final proposed rules. Specifically, while the CCPA final proposed rules require that covered businesses list the categories of personal information to be collected, whether each category of personal information is sold or shared (for cross-context behavioral advertising purposes), and the length of time each category of personal information is retained in the business’s “Notice at Collection,” the CCPA final proposed rules allow the processing purposes to be identified more generally and do not require those purposes to be linked to specific categories of personal information.
- Rule 6.04(B). Under the third draft, controllers must notify Colorado residents only in the event of “material” changes to their privacy notice, rather than for “substantive or material” changes. Furthermore, the draft relaxes the definition of “material” changes. Under previous drafts, controllers would have been required to notify consumers if the identity of affiliates, processors, or third parties with whom they shared Personal Data were changed (despite the fact that the ColoPA does not require that level of detail in privacy notices).
Publicly Available Definition (Rule 2.02). Under ColoPA, “publicly available information” is excluded from the definition of personal data and is thus outside the scope of the law. Under the third draft, publicly available information that has been “inextricably combined with non-publicly available Personal Data” can still be considered publicly available information. The previous draft specifically excluded such data from the definition of publicly available information.
Consumer Personal Data Rights. During its February 1, 2023, hearing regarding the third draft, the Colorado AG’s office acknowledged that other comprehensive state privacy laws provide similar consumer rights and that the Colorado AG’s office aims for the ColoPA rules to be interoperable with those regimes.
- Right to Opt Out (Rule 4.03).
- Deadline for ceasing to process personal data subject to opt-out requests: The third draft removes the previous requirement to honor opt-out requests no later than 15 days, replacing it with “without undue delay,”—a totality of the circumstances test that takes into account the size and complexity of the business and burden of operationalizing the opt-out.
- Opt-out of profiling decisions: Under the third draft, a controller must provide a clear and conspicuous method for Colorado residents to exercise their right to opt out of Processing of Personal Data for profiling that results in legal or similarly significant decisions. In contrast, the California Privacy Protection Agency (CPPA) has yet to issue rules on the right to opt out of automated decision making.
- Right to Deletion (Rule 4.06(A)). The third draft removes the requirement for controllers to notify their processors and affiliates of a deletion request (though this change does not absolve controllers of ensuring that their processors delete any personal data subject to the deletion request held by the processors).
Universal Opt-Out Mechanism (UOOM). During the February 1, 2023, hearing, the Colorado AG’s office explained that they revised the third draft for interoperability and to balance flexibility with technical specifications. Several speakers from the public asserted the need for the rules to provide more defined parameters for generating the list of officially recognized UOOMs, including updating the list on a defined schedule.
- Rule 5.03(A). The third draft clarifies that those who develop or provide a UOOM do not need to tailor or refer to Colorado or the ColoPA when disclosing to consumers the UOOM’s function in facilitating opt-out requests. For example, a disclosure that the UOOM permits consumers to exercise “any and all opt-out rights available to you under state laws” is sufficient insofar as the disclosure complies with other states’ disclosure rules.
- Rule 5.05(B). The third draft also clarifies that a controller can require additional Personal Data from a requester to process a UOOM if doing so is required for it to comply with the authentication requirements of other jurisdictions. The previous draft prohibited controllers from requesting Personal Data that is not “strictly necessary” to evaluate authenticity and legitimacy of the opt-out.
Public comments on the third draft were due by February 3, 2023, at 5 p.m. MT, which will then be considered for the final rules. The Colorado AG’s office is tasked with finalizing the rules on technical specifications of UOOMs by July 1, 2023. As a reminder, the ColoPA’s effective date and enforcement date also begin on July 1, 2023.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor attorney general guidance, enforcement, and litigation pursuant to the CCPA in order to assist clients with compliance. For more information or advice concerning your CCPA compliance efforts, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Hale Melnick, Clinton Oxford, Roger Li, Stacy Okoro, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
We previously covered the Colorado AG’s rulemaking process and pre-rulemaking considerations in the following Wilson Sonsini Alerts: “Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General Announces Privacy Rulemaking,” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”