Colorado Finalizes Privacy Act Rules

The Colorado Attorney General’s Office recently published final rules implementing the Colorado Privacy Act (CPA), a comprehensive privacy law signed into law on July 7, 2021.  The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA.  Both the rules and the CPA go into effect on July 1, 2023, with the exception of some specific regulatory provisions which are effective later.

The CPA and its rules apply to “Controllers,” entities that conduct business in Colorado or deliver products or services targeted to Colorado residents, and that either: (i) process the personal data of more than 100,000 individuals in any calendar year; or (ii) derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.  Entities and affiliates subject to the Gramm-Leach-Bliley Act are excluded, as is personal data maintained in compliance with specific federal privacy laws, including the Fair Credit Reporting Act.  WBK previously covered the CPA here.

The rules provide considerable detail on a variety of topics under the CPA.  For example, the rules explain that privacy notices must provide consumers “with a meaningful understanding and accurate expectations of how their personal data will be processed,” and inform consumers of their rights along with any information necessary for consumers to exercise such rights.  The rules also address so-called “dark patterns” in the context of obtaining user consent, by providing a set of nine principles that Controllers should consider when designing a user interface.  Moreover, the rules include guidance to assist Controllers as they conduct mandated data protection assessments for processing activities that present “a heightened risk of harm” to consumers.  The data protection assessment must be genuine and: (i) identify and describe the risks to the rights of consumers associated with the processing; (ii) document measures considered and taken to address and offset those risks; (iii) contemplate the benefits of the processing; and (iv) demonstrate that the benefits of the processing outweigh the risks offset by safeguards in place.  The rules also expand on the CPA’s profiling requirements, including specifying the profiling-related disclosures that Controllers must make in their privacy notices.

Lastly, the CPA requires that Controllers allow consumers to freely exercise their right to opt out of the processing of their personal data for purposes of targeted advertising or sale through a “universal opt-out mechanism.”  The rules provide minimum standards that all universal opt-out mechanisms must meet to be recognized, and provide other details regarding implementation.  Many of the rules regarding the universal opt-out mechanism, including the rule setting out the “obligations on Controllers,” are effective July 1, 2024.