State Leaders Seek Public Feedback on the Colorado Privacy Act

The Colorado Attorney General’s Office has released the “Pre-Rulemaking Considerations for the Colorado Privacy Act,” ahead of the new law’s formal notice and comment phase. The AG’s Office is seeking informal public feedback on the Colorado Privacy Act (CPA) with the goal of ensuring interested parties can provide feedback, perspective, and expertise in connection with the CPA.

The topics within the CPA the office is specifically seeking feedback on are:

1. Universal Opt-Out – The CPA gives consumers in Colorado the “right to opt out of the processing of personal data.” This consideration looks to address the “universal opt-out mechanisms” and “technical measures” that should be implemented for consumers to exercise their rights. The questions address potentially using specific protocols or specifications, including available mechanisms and tools currently built into browsers, browser add-ons, and operating systems that could allow consumers to opt out.
2. Consent – Under the CPA, there are instances in which a controller cannot process personal data unless the controller first obtains the consumer’s consent. The AG’s office is looking to address what constitutes consent under the CPA in certain contexts and potential methods/mechanisms for obtaining consent from consumers.
3. Dark Patterns – The CPA states that agreements obtained using “dark patterns” do not constitute consent. As defined under the CPA, dark patterns are “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” The AG’s office is seeking input including what standards or principles could be used to avoid inadvertent use of dark patterns, specific types of dark patterns which should potentially be prohibited, and tools/frameworks which could be used to identify dark patterns.
4. Data Protection Assessments – The CPA requires controllers to conduct data protection assessments when conducting processing that presents a “heightened risk of harm to a consumer. The AG’s office is looking to determine the circumstances in which a DPA should be requested, existing models that could be used, and what information should be contained within the DPAs.
5. Profiling and “Legal or Similarly Significant Effects” – The CPA grants consumers the right to opt out of profiling, which is defined as “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, locations, or movements.” The AG’s office seeks feedback on specific applications of profiling, potential negative impacts of immediately opting a consumer out of profiling, and other special considerations that may apply to opting out of profiling in the specific areas outlined by the statute.
6. Opinion Letters and Interpretive Guidance – Under the CPA, the AG is authorized to adopt rules “governing a process to issue opinion letters and interpretive guidance.” The questions posed by the AG’s office include what type of interpretive guidance should be provided by the rules, the process for obtaining interpretive guidance, and if there is any existing interpretive guidance process used elsewhere that could be used.
7. Offline and Off-Web Collection of Data – The AG’s office is seeking feedback on how to manage data that is collected through non-electronic methods. Examples of non-electronic methods include, “filling out a rental form, signing a petition on a sidewalk, or buying a magazine subscription.” Questions posed by the AG include how the rules should address the offline collection of data and the challenges of maintaining consumer privacy preferences in online interactions.
8. Protecting Coloradans in a National and Global Economy – This topic is focused on comparing/contrasting the CPA to privacy legislation in other jurisdictions. The AG’s office is asking for feedback as to how the CPA crosswalks with other legislation and anything that could potentially be emphasized within the CPA to cater to the best interests of Coloradans.

The office of the AG will follow these principles when approaching the rulemaking:

• Promote consumer rights
• Clarify ambiguities
• Facilitate efficient and expeditious compliance
• Harmonize
• Allow for innovation

Businesses should be pleased with these guiding principles overall and specifically the harmonization principle that speaks to ensuring the CPA is consistent with other state, national, and international frameworks.

The CPA goes into effect on July 1, 2023.

Please reach out if you have any questions about the CPA or any other state data privacy regulations at connect@compliancepoint.com.