On September 30, 2022, the Colorado Attorney General’s Office released proposed rules for the Colorado Privacy Act (“CPA”), which goes into effect on July 1, 2023. The proposed rules add meaningful components to the statutory requirements of the CPA, which are otherwise very similar to the recent privacy laws enacted in Virginia, Utah, and Connecticut. This article highlights a few of these changes for Colorado businesses to stay apprised of the new regulations.
First, the proposed rules ban the use of dark patterns on their user interfaces. Dark patterns are an underhanded, manipulative way to get website visitors to do what the company wants without the visitor’s knowledge. Examples of dark patterns are when a company’s user interface tricks a visitor into signing up and sharing personal information without their consent or when a site tricks its visitor to click on an advertisement they otherwise would have ignored. These tactics are now prohibited under the CPA proposed rules. The purpose of this change is to ensure consent choice options are fair, symmetrical, and devoid of emotionally manipulative language. The Colorado legislature is sending the message that consumer silence shall not be construed as consent or acceptance.
Second, the proposed rules strengthen the opt-out preference signals. The controller, often the company, is now required to maintain a record of opt-out requests and responses and it must cease processing that personal data as soon as possible, but no less than 15 days after the receipt of the request. Opt-out methods must be as clearly disclosed as opt-in methods and must be found both inside the privacy notice and outside the privacy notice. Additionally, consumers may now exercise a universal opt-out process so long as it is clearly disclosed to the consumer, the limits are clearly described, and the controller may not require the collection of additional personal data except as necessary to confirm that the consumer is a resident of Colorado.
Third, the proposed rules require the controller to obtain valid, informed, and voluntary consumer consent prior to processing sensitive data. Examples of such sensitive data include the personal data of a child, the sale of a consumer’s personal data for profiling or targeted ads, and the processing of personal data for uses not aligned with the original specified purpose the controller had for obtaining the data. Like the California Privacy Rights Act (“CPRA”), Colorado’s proposed rules state that if a consumer previously opted-out of participating in an aspect of a site, that consumer will then be required to consent to any additional processing in the future.
The proposed rules place stricter requirements on companies that target children and process children’s data. For example, the guidelines state a controller must take all commercially reasonable steps to verify a consumer’s age before processing personal data. If the controller is aware or becomes aware of a consumer’s minority age, the controller must immediately halt processing and take all commercially reasonable steps to obtain verifiable parental consent. Additionally, even if the controller has already obtained consent from the consumer, the controller must refresh consent at regular intervals based on the context and scope of the original consent, sensitivity of the personal data collected, and the reasonable expectations of the consumer. This is a substantial addition to the CPA that goes far beyond what is required under the CPRA.
Fourth, the CPA creates strict regulations for data profiling, which the CPRA has yet to even address. Data profiling is a technology where collected data is analyzed to determine if there are any data quality issues like duplication, inconsistency, or inaccuracies and incompleteness. Profiling is an automated decision-making process, which may pose privacy risks to individuals when the automated decision-making includes discrimination, de-individualization, and stereotyping. In all cases, consumers lose consent privileges over their personal information when data profiling is involved. The CPA expressly states that controllers have an affirmative obligation to provide clear, understandable, and transparent information to consumers about how their personal information is used, especially during data profiling, and that consumers have a right to opt-out of profiling when it is done in furtherance of decisions that produce significantly similar effects concerning a consumer. The CPA expands the CPRA standards by mandating that controllers conduct and document data profiling analyses prior to processing personal data for profiling. This is not limited to automated processing and includes human-reviewed automated processing.
The CPA applies to all “controllers” that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either (1) control or process the personal data of 100,000 or more consumers during a calendar year or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data of 25,000 or more consumers. Additionally, the CPA applies to non-profits, which is a significant change from the privacy acts initiated in California and Virginia. To determine if a business entity is a “controller” under the Act, the CPA is available in full on the Colorado Attorney General’s website. See https://leg.colorado.gov/bills/sb21-190.