Second Version of Colorado Privacy Act Draft Rules Released

Following the release of the first draft of the Colorado Privacy Act (CPA) rules on October 10, 2022, the Colorado Department of Law sought comment and feedback on the rules through three sessions on November 10, 15, and 17 2022. Based on this feedback, a second version of the draft CPA rules was released on December 21, 2022. The feedback loop has been a theme since the Colorado Privacy Act passed and the AG’s office has been transparent that it is seeking and listening to consumers and industry alike. Keeping with this theme, the Attorney General and the Department of Law encourage feedback on these draft rules. There is a public hearing on February 1, 2023. Any changes to the draft rules dated 12-21-22 will be available to the public at least five days prior to the hearing.

Key Changes Between the First and Second Versions of the CPA Draft Rules

Clarification of definitions and new definitions

Several definitions were updated and clarified. This was based on commentary and questions that pointed towards some ambiguity surrounding key definitions. For example, “commercial product or service” is now defined and provides some clarification regarding the scope of applicability. Further, the terms “controller,” “employee,” “employer,” and “employment records” were added to the draft rules. These are critical definitions based on exemptions available under the CPA surrounding employment data. Other definitions added include “non-commercial purpose,” “profiling,” and “processor.” We will be interested to see how these definitions evolve during the commentary period.

The new definitions are:

“Controller” means a person that, alone or jointly with others, determines the purposes for and means of Processing Personal Data.

“Employee” means any person, including a migratory laborer, performing labor or services for the benefit of an Employer. Relevant factors in determining whether a person is an Employee include the degree of control the Employer may or does exercise over the person and the degree to which the person performs work that is the primary work of the Employer; except that an individual primarily free from control and direction in the performance of the service, both under his or her contract for the performance of service and in fact, and who is customarily engaged in an independent trade, occupation, profession, or business related to the service performed is not an “employee”.

“Employer” means every person, entity, firm, partnership, association, corporation, migratory field labor contractor or crew leader, receiver, or other officer of court in Colorado, and any agent or officer thereof, of the abovementioned classes, employing any person in Colorado.

“Employment Records” means the records of an Employee, in the manner maintained by the Employer in the context of the Employer-Employee relationship and using reasonable efforts by the Employer to collect, having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the Employer-Employee relationship.

“Noncommercial Purpose” includes, but is not limited to, the following activities when conducted by a state institution of higher education, as defined in C.R.S. § 23-18- 102(10), the state, the judicial department of the state, or a county, city and county, or municipality:

1. Processing activities related to the delivery of services and benefits;
2. Research purposes;
3. Budgeting;
4. Improving operations or the delivery services or benefits;
5. Auditing operations or service or benefit delivery;
6. Sharing Personal Data between these categories of entities for any of these purposes; or
7. Any other purpose related to speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

“Process” or “Processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to Process Personal Data.

“Processor” means a person that Processes Personal Data on behalf of a Controller.

“Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Opt-out Updates

The October draft of the rules outlined that the opt-out option needed to be included in the privacy policy. This is no longer the case; businesses simply need to provide consumers with a clear and conspicuous method to opt-out.

Access Rights Updates

Updates to include inferences and derivative data within the right to access a copy of personal data is a key update that controllers may be challenged to solve. It will be interesting to see if this data is included in the final draft of the rules.

For the right to correct, any data within archives or backup systems may only need to be updated if the archive or backup is restored to an active system. It is further required to be corrected if the data is accessed or used for a sale, disclosure, or commercial purpose. We do not see this level of granularity often in regulations. Backup/archive data is often a question we need to tackle with our clients when solving for consumer rights.

The updated draft also took the opportunity to provide administrative cleanup of the right to be deleted and data portability including some administrative cleanup of verbiage. This includes clarifying how to handle trade secrets as they pertain to data portability. Authentication of the consumer has also been updated to ensure controllers are required to document and comply with reasonable methods for authenticating consumers. This is a key stage in the rights process that many organizations do not put enough thought and effort into.

The Universal Opt-Out Mechanism section was amended to provide businesses and consumers with the ability to honor and exercise more granular preferences when it comes to exercising rights surrounding the sale of data and targeted advertising. The requirement to have the Universal Opt-Out Mechanism in place was also moved up from April 1, 2024, to January 1, 2024.

Notice/Privacy Policy Changes

In an effort to simplify the disclosures and make it easier for controllers and consumers alike, the rules moved away from the processing purpose requirements that are seen in the CPRA and moved towards a more straightforward explanation of purpose, data types, and categories. This is not intended to imply that the disclosures are easy to make but we believe the updates are more consumer and controller friendly.

Bolstered Duty of Care

Clarification and details were added to ensure controllers are aware of the requirement to ensure reasonable and appropriate administrative, technical, organizational, and physical safeguards surrounding the personal data collected, stored, and processed. There is clear guidance surrounding how controllers should determine what is appropriate, including consideration of industry standards, the sensitivity of the data, and the risk of harm if the data was accessed in an unauthorized manner. This is helpful guidance for both the InfoSec and Privacy teams.

Data Protection Assessment Content

This area of the rules received significant updates surrounding what the assessments need to include. The level of specificity in the rules is a sign that the assessments will be of high importance for controllers to demonstrate compliance with the CPA. The nature of the processing and operational elements should be included. Further, the controller must outline the “core purposes of the processing activity, as well as other benefits of the processing that may flow to the Controller, Consumer, and other expected stakeholders”. Controllers should work to operationalize the assessment process and ensure it remains a living document.

In Summary

Overall, the updates to the rules appear to lean towards being more business-friendly and provide additional insight into what controllers will need to do in order to comply with the CPA. If you have any questions about the CPA or other privacy laws, please contact us at connect@compliancepoint.com.