Data privacy rules proposed
PROPOSED Colorado Privacy Act rules were published Monday in the Colorado Register and on the Colorado Secretary of State’s website. (Download Proposed Colorado Privacy Act rules here.)
The office is encouraging the public to provide feedback on the rules’ contents.
The Colorado Privacy Act protects Coloradans’ privacy in part by granting them rights to access the data that companies have collected about them and to dictate whether and how companies can continue to collect, store, use, or sell their personal information. It also requires companies to be transparent about how they use personal data and to take precautions to reduce the risk that their data collection and use might pose to consumers. Finally, the law grants the attorney general the authority not only to hold entities accountable for failing to comply with their obligations, but also to draft rules that would clarify the act’s requirements and provide guidance for compliance.
The Department of Law invites comments from all members of the public regarding the proposed draft rules during the rulemaking process. Comments will be made part of the rulemaking record and will be posted online. Click here to submit comments.
“Public input is vital to the creation of successful rules that ensure consumers are protected and businesses have guidance on how to comply with those rules,” said Attorney General Phil Weiser. “That is why the attorneys in my office are carefully considering all the input provided so far and will continue to do so.”
Members of the public will also be able to provide oral comment through three virtual meetings, which will take place on Nov. 10, 15, and 17. In addition, the department will hold a rulemaking hearing at 10 a.m. Feb. 1, 2023. The hearing will be conducted both in person and by video conference.
The department invites public comment on any provisions included in the proposed draft rules, including the below:
- Definitions: Part 2 of the draft rules includes definitions and clarifications of key terms used in the CPA and draft rules, including “biometric data,” “bona fide loyalty programs,” and “publicly available information.”
- Consumers’ personal data rights: Part 4 of the draft rules describes how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling.
- Universal opt-out mechanisms: Part 5 of the draft rules outlines the technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis.
- Duties of entities using consumers’ data: Part 6 of the draft rules elaborates on the duties of entities that use and control consumers’ personal data, including obligations to safeguard personal data and protect consumer privacy.
- Bona fide loyalty programs: Rule 6.05 clarifies disclosures and limitations associated with the user of Coloradan’s personal data for bona fide loyalty programs, or programs that offer discounts, rewards, or other actual value in exchange for personal data.
- Consent: Part 7 of the draft rules clarifies the requirements for obtaining consent from Coloradans prior to specific uses of personal data, and addresses the prohibition against obtaining consumer agreement through unclear or ambiguous means, often called “dark patterns.”
- Data protection assessments: Part 8 of the draft rules describes the required scope, content, and timing of data protection assessments, which controllers must complete before using personal data for activities that present a heightened risk of harm to Consumers.
- Profiling: Part 9 of the draft rules addresses when and how controllers must respond to consumers’ request to opt-out of specific kinds of automated profiling as well as what controllers must include in data protection assessments when conducting automated profiling.
The full list of specific questions from the department is included in the Notice of Proposed Rulemaking, available here.
Under the privacy act, rules can be enforced starting July 1, 2023.