On March 15, 2023, the Colorado Attorney General’s (Colorado AG) office released the final version of the Colorado Privacy Act (ColoPA) rules (the final rules), which are based on public comments on the third version of the rules published on January 27, 2023.1 The final rules were published in the Colorado Register on March 25, 2023. While the final rules are substantially similar to the third version of the proposed rules, there are several notable revisions companies should consider as part of their compliance efforts. Below are some key takeaways from the changes in the final rules.
Privacy Notice Content Requirements (Rule 6.03). The final rules keep the onerous privacy notice requirements from the previous draft. Specifically, controllers must disclose how each category of personal data will be used for each processing purpose. This rule is more detailed than those required by the California Consumer Privacy Act (CCPA) final proposed rules, which allow the processing purposes to be identified more generally and do not require each processing purpose to be linked to a specific category of personal information.
Opt-Out Link Text (Rule 4.03(B)(3)). The final rules add “Your Privacy Choices” as an example of a valid opt-out link text to align with one of the options provided by the CCPA. As a reminder, the CCPA permits businesses to use “Your Privacy Choices” text as a way to simplify links where the business offers an opt-out for “sales” and “sharing” under the CCPA and allows consumers to limit use of their sensitive personal information.
Data Minimization (Rule 6.07(B)). The final rules now require controllers that store photos or voice recordings of Colorado residents to conduct an annual review to ensure that the photos and voice recordings are not kept longer than necessary, adequate, or relevant, even if the controller does not generate any personal data from the files.
- Consent for Previously Collected Sensitive Data (Rule 7.02(B)(1)). Controllers that do not obtain valid consent to continue processing sensitive data by July 1, 2023, now have until July 1, 2024, to obtain that consent.
- Consent for Secondary Uses of Previously Collected Personal Data (Rule 7.02(B)(2)). The final rules also make clear that controllers must obtain valid consent for processing any personal data for secondary uses after July 1, 2023, even if that personal data was collected prior to July 1, 2023. Such consent must be obtained “at the time the Processing purpose changes.”
- Requirements for Valid Consent (Rule 7.03(D)). The final rules state that the consent to process personal data for one specific purpose does not constitute valid consent to do so for other purposes, but reintroduces a qualifier from the second version that the “other purposes” refer to those “that are not reasonably necessary to or compatible with that specific purpose.” In other words, insofar as multiple processing purposes are reasonably necessary to or compatible with one another, controllers do not need to receive consent for each specific purpose.
- Requirements for Informed Consent (Rule 7.03(E)(1)(e)). While the final rules delete the requirement that controllers disclose the categories of all parties who will have access to the personal data, the final rules keep the stricter obligation that controllers disclose the names of all third parties receiving the sensitive data through a “sale.”
- Consent After Opt-Out (Rule 7.05(B)(2)). The final rules now allow controllers to proactively reseek consumer consent if they have a “reasonable belief” that the consumer intended to opt back into the sale of personal data or processing of personal data for targeted advertising. The final rules do not further elaborate on what constitutes a “reasonable belief.”
- Requirements on Refreshing Consent (Rule 7.08(A)). According to the final rules, controllers must refresh previously obtained consent only if the consumer has not interacted with the controller in the past 24 months (instead of the 12-month interval required by the third version).
In complying with the above consent requirements, however, controllers should keep in mind that if a consumer refuses or withdraws consent for processing sensitive data or personal data that is strictly necessary for a service, the controller is not required to provide that service. (Rule 7.07(D)(1)).
Both the ColoPA and the final rules become effective on July 1, 2023. While companies covered by the CCPA may be able to leverage some of their CCPA compliance efforts to fulfill their obligations under the ColoPA and the final regulations, these regimes do not overlap in a comprehensive way. For example, whereas the California Privacy Protection Agency (CPPA) is just beginning its efforts to draft regulations on risk assessments and profiling, the ColoPA final rules already contain requirements controllers must consider to these ends.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your ColoPA compliance efforts, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Hale Melnick, Clinton Oxford, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
We previously covered the Colorado AG’s rulemaking process and pre-rulemaking considerations in the following Wilson Sonsini Alerts: “Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General Announces Privacy Rulemaking,” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”