The Colorado Attorney General's Office recently finalized rules for the Colorado Privacy Act ("CPA Rules") which was signed into law in July 2021. The Colorado Privacy Act ("CPA") will soon join the California Consumer Privacy Act ("California Privacy Law (CCPA)") and the Virginia Consumer Data Protection Act ("Virginia Privacy Law (VCDPA)") as comprehensive state data privacy laws extending consumer rights and protections, and business compliance obligations regarding data privacy.
As described in more detail in our prior client alert (here),1 beginning on July 1, 2023, entities (including non-profits) that conduct business or target more than 100,000 consumers annually in Colorado, or profit from the sale of personal information of 25,000 or more Colorado residents, will be subject to civil penalties of up to $20,000 per violation for non-compliance with the CPA Rules if the violation cannot be cured within 60 days. Notably, the upper limit of civil penalties under the CPA are considerably higher than the existing civil penalty frameworks in California and Virginia.
The final CPA Rules clarify the requirements under the CPA, and provide guidance on implementing key processes, such as performing Data Protection Assessments and obtaining consent for the processing of certain personal data. The CPA Rules reflect key differences between the CPA and existing state data privacy laws. As such, since the detailed CPA Rules could create significant compliance obligations on businesses, such entities should move urgently to ensure compliance with the CPA by the fast-approaching compliance deadline of July 1, 2023.
Below is a brief summary of key provisions under the CPA Rules, including any notable distinctions with existing laws in California and Virginia.
Key CPA Rule Provisions
- Processing Activity Requiring Consent. The CPA Rules now specify that controllers must obtain affirmative consent prior to processing a wide array of data and activity, including: (1) sensitive data or personal data concerning children; (2) selling a consumer's personal data; (3) processing a consumer's personal data for targeted advertising; (4) profiling (following a consumer opt-out); or (5) otherwise processing personal data for unnecessary or incompatible purposes.
- Requirements for Valid Consent. The CPA Rules now identify five elements that are necessary for establishing valid consent. Specifically, consent must: (1) be obtained through the consumer's clear, affirmative action; (2) be freely given by the consumer; (3) be specific; (4) be informed; and (5) reflect the consumer's unambiguous agreement. The CPA Rules clarify that a blanket acceptance of general terms and conditions, silence, inactivity or inaction, pre-ticked boxes or any agreement obtained through Dark Patterns are not valid forms of consent. Controllers are required to disclose to consumers any specific primary or secondary purposes for any processing when seeking their consent and a controller must obtain new consent before beginning to process personal data for any new specific secondary purposes.
- Limited Personal Data Processing Under Prior Consent. The CPA Rules allow controllers that have received valid consent prior to July 1, 2023 (when the CPA Rules take effect) to continue processing consumer personal data, including sensitive data. However, the prior consent will only be valid if it complied with the requirements for valid consent under the CPA. A controller relying on valid consent from prior to July 1, 2023 will have to obtain new valid consent if its processing purpose ever changes to a secondary use.
- Re-seeking and Refreshing Consent. The CPA Rules allow controllers to re-seek consent from consumers that have previously opted-out of processing activities; provided that the controller complies with the requirements for obtaining valid consent. However, the CPA Rules caution that controllers may not re-seek consent "using schemes that cause consent fatigue". Separately, the CPA Rules require that when a consumer has not interacted with a controller for over a year, the controller will have to refresh that consumer's consent.
- Data Minimization. Though the CCPA and VCDPA both impose data minimization requirements on the processing of consumer data, the CPA Rules specifically address the retention of biometric identifiers, digital or physical photographs, or audio or voice recordings that generate personal data. Specifically, the CPA Rules require that the controller review whether storage is necessary, adequate or relevant for the stated processing purpose at least once a year.
- Profiling. The CPA Rules also establish a framework for considering automated decision-making (i.e., profiling) involving personal data. The CPA Rules describe specific requirements for profiling that address transparency, consent and data protection assessments. In addition, the CPA Rules provide that a consumer may opt out of profiling that is based on either "Solely Automated Processing" or "Human Reviewed Automated Processing."2 However, the rules provide that a controller may choose not to honor a request to opt out of profiling if such profiling is based on "Human Involved Automated Processing."3 Where such a request is denied, the CPA Rules require the controller to inform the consumer specifically about: (1) the decision subject to the profiling; (2) the categories of personal data that were or will be processed; (3) the logic used in the data-processing and the role of human involvement in the profiling and decision-making processes; (4) how profiling is used in the decision-making process; (5) the benefits and consequences of the decision; and (6) how consumers can correct or delete the personal data used in the profiling.
- Universal Opt-Out Mechanisms. The CPA Rules also clarify the technical specifications for facilitating a consumer right to opt out through a user-selected Universal Opt-Out Mechanism. By January 1, 2024, the Colorado State Department of Law will release an approved public list of Universal Opt-Out Mechanisms. The CPA Rules also set forth notice and choice requirements for Universal Opt-Out Mechanisms and limitations on data collection and use in processing an opt-out request.
- Consumer Loyalty Programs. Though both the CCPA and the VCDPA clarify that businesses may offer loyalty programs without violating prohibitions on retaliating against consumers who do not consent to or who opt out of certain processing, the CPA Rules are unique in how they address loyalty programs.4 In addition to detailing how consumer rights and controller obligations interact with loyalty programs, the CPA Rules require certain loyalty program disclosures, such as: (1) the categories of personal data or sensitive data collected through the loyalty program that will be sold or processed for targeted advertising; (2) categories of third parties that will receive the consumer's personal data and sensitive data; (3) a list of any bona fide loyalty program partners; and (4) the bona fide loyalty program benefits provided by each bona fide loyalty program partner. Under the CPA Rules, businesses will need to review any loyalty program, to determine the extent to which processing sensitive data is or is not necessary to provide any available, non-personalized program benefit and provide the necessary disclosures.
- Data Protection Assessments. The CPA Rules provide much more prescriptive guidance on performing data protection assessments than both the VCDPA and CCPA. The CPA Rules establish that the data protection assessments required under the CPA must involve key stakeholders that include all relevant internal actors from across the controller's organizational structure, and any external parties needed to identify, assess and address the data protection risks presented by the controller's processing activities. The CPA Rules outline 13 components of a data protection assessment that generally address the nature, purpose, scope, risks and governance relating to the processing of personal data. The CPA Rules requires a controller to update its assessment at minimum whenever the level of risk presented by an existing processing activity is materially modified, which may include changes to the processing purpose, personal data processed, sources of personal data, method of collection, recipients of personal data and software or other systems used for processing. Furthermore, upon request by the Attorney General, controllers must produce their data protection assessments within 30 days of such request.
- Exercising Consumer Rights. Under the CPA Rules, controllers may provide consumer rights request methods that also facilitate exercising consumer data privacy rights in other states, as long as the request method clearly identifies and provides the specific rights that are available to Colorado consumers, and how to exercise such rights. In addition, where a consumer submits a request to exercise more than one consumer data privacy right, including a right to opt out, the CPA Rules require the controller to prioritize completing the opt-out before any other consumer data privacy rights request.
- Right of Access. In responding to consumers' request to access, the CPA Rules require controllers to provide all the specific pieces of personal data it has collected and maintains about the consumer. Specific pieces of personal data include final profiling decisions, inferences, derivative data, marketing profiles and other personal data created by the controller which is linked or reasonably linkable to an identified or identifiable individual.
It is worth reiterating that several other states are considering or moving to enact comprehensive data privacy laws, including Indiana, while other states, such as Connecticut, Utah and Iowa, have already enacted data privacy laws that will become effective within the next two years. While businesses will need to remain flexible in their compliance programs to account for nuances between these laws, businesses should be able to leverage some of their existing compliance program and processes for Colorado. Businesses should continue to keep apprised of the developments in the evolving area of U.S. consumer data privacy compliance. White & Case's Data, Privacy and Cybersecurity team will continue to provide updates on our U.S. Data Privacy Guide page as these laws emerge.
1 See F. Paul Pitman et al., Colorado Privacy Act: US Consumer Data Privacy Framework Continues Expansion, White & Case (July 9, 2021) for a more detailed summary of the CPA's statutory requirements.
2 Rule 9.04(B); see also Rule 2.02. "Human Reviewed Automated Processing" is "automated processing of Personal Data where a human reviews the automated processing, but the level of human engagement does not rise to the level required for Human Involved Automated Processing." Solely Automated Processing is "automated processing of Personal Data with no human review, oversight, involvement, or intervention".
3 Rule 9.04(C); see also Rule 2.02. The CPA Rules define "Human Involved Automated Processing" as "the automated processing of Personal Data where a human (1) engages in a meaningful consideration of available data used in the Processing or any output of the Processing and (2) has the authority to change or influence the outcome of the Processing".
4 See Rule 6.05 ("Loyalty Programs"). The CPA Rules define a "Bona Fide Loyalty Program" as a "loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing Bona Fide Loyalty Program Benefits to Consumers that voluntarily participate in that program, such that the primary purpose of Processing Personal Data through the program is solely to provide Bona Fide Loyalty Program Benefits to participating Consumers." Rule 2.02. The CPA Rules define a "Bona Fide Loyalty Program Benefit" as "an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program. Such benefits may be provided directly by a Controller or through a Bona Fide Loyalty Program Partner." Id.
Katherine Madriz (White & Case, Law Clerk, Boston) co-authored this publication
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP