The Colorado Attorney General’s Office hosted a public hearing on the latest draft of the upcoming Colorado Privacy Act that creates data rights for consumers in the state. Officials with the office said the hearing is one of the final steps in the process to finalize the implementation of the CPA, which goes into effect July 1.
Assistant AG Stevie DeGroff explained that the Feb. 1 hearing, which was held online and in-person, was one of the final phases in the office’s months-long effort to gather input from stakeholders and draft specifics for the CPA.
“This hearing is one of the final steps in the rulemaking process,” said DeGroff, opening the hearing. “The department recognizes that public involvement and transparency are important to establishing strong regulations.”
The public hearing came less than a week after the Colorado AG’s Office published its third draft of the CPA on Jan. 27 which dialed in definitions of universal opt-out mechanisms and loyalty programs and created additional requirements around consumer consent. The latest draft aimed to incorporate some of the feedback the department received since it published the second version of the rules in December, according to AG officials who spoke at the hearing.
“The current version of the proposed rules reflects an attempt to balance competing stakeholder feedback on these definitions,” said DeGroff, who added the office received comments with split requests to tighten, broaden or change certain definitions.
Wednesday’s hearing included hours of testimony from individuals representing businesses, consumers, nonprofits and more.
Some interesting points to come out of the hearing included concerns over how Colorado’s rules will compare to other states as a growing patchwork of data rights regulation goes into effect across the country, a continued call to clarify how nonprofits would comply with the CPA and competing concerns about the act’s impacts on businesses and consumer rights.
The latest draft of the CPA has significant updates to privacy notices and user consent.
The current version of the act would require data controllers to get additional consent from consumers if privacy notices change and would also require consent from consumers to use already-collected data for secondary uses after a privacy notice changes. Testimony at Wednesday’s hearing was split on the new requirements, with consumer advocates praising them and business advocates casting doubt on their implementation.
Sara Geoghegan, counsel with national data privacy organization Electronic Privacy Information Center, said the organization was happy to see additional consent requirements. “We support the strong consent requirements in the proposed rules, and we support the change that provides clarity about what a similar number of steps in a consent scheme looks like,” said Geoghegan.
A handful of organizations that represent businesses testified to concerns that the new consent requirements could create consent fatigue for consumers and place added burdens on businesses.
Loren Furman, president and CEO of the Colorado Chamber of Commerce, said the organization and its members have concerns over the ramped-up consent requirements.
“The concern is that the draft will expand the application of the consent requirements… Ultimately, a controller may have to inundate a consumer with consent requests and obviously the consumer will get tired of receiving those requests,” said Furman. “Our members overall would want the regulations to include more flexibility aligned with the current statute.”
Jessica Kostelnik with the Denver Metro Chamber of Commerce, asked the AG’s Office to push back the CPA’s implementation by six months or a year from its scheduled effective date this summer.
“A generous timeline to implement before enforcement begins may be necessary for businesses to ramp up their data privacy protections, align corporate design cycles to sync with new privacy disclosure requirements, develop capacity to recognize and honor universal opt-out mechanisms and establish internal processes to administer consumer data requests,” said Kostelnik.
Kostelnik also asked the office to take a flexible approach to implementing and tailoring the CPA, adding “Colorado is pioneering on this subject, and we will likely have to continue to adapt the rules once we have more real-world examples of its impact on businesses, consumers and our economy.”
Multiple speakers testified to the growing number of state-level regulations around personal data collection.
Colorado is one of five states to pass a consumer data privacy law as concerns over digital data collection grow. Federal lawmakers are also considering a law to create and regulate personal digital data rights.
Ruthie Barko, executive director of the Colorado chapter of TechNet, a national technology trade organization that focuses on public policy, explained the tech industry has been watching the development of state data privacy laws and how they impact national products.
“Our members are heavily impacted by interoperability and whether or not this remains workable for them with the emerging state patchwork on data privacy frameworks,” said Barko.
Dan Frechtling, CEO of Boltive, a software that allows companies to track and replace invasive ads that could have malware, data leakage or other issues, said an increasing number of customers have been asking about state-level data privacy regulations.
“Recently, many of our clients have asked us to help them comply with data privacy regulations, such as the CPA,” said Frechtlingm who added that over 90% of the clients Boltive has worked with have found flaws in their data opt-out mechanisms allowing for unauthorized data access. He urged the AG’s Office to ensure the CPA is enacted quickly and also allow for regular audits that make sure businesses are complying with the act.
Colorado nonprofits are also still concerned about how complying with the CPA could impact their organizations.
Stephanie O’Malley, associate vice chancellor for the University of Denver’s Office of Government and Community Relations, spoke on behalf of Independent Higher Education of Colorado, a nonprofit organization that includes DU, Regis University and Colorado College. O’Malley rehashed concerns voiced by non-profits that complying with CPA could drain resources that are already spread thin.
“We fear that we may be forced to discontinue relationships with critical processors and third parties that help us to have the strongest college retention and graduation rates in the state as we may not have the negotiating power needed to incorporate CPA compliance terms into our contracts,” said O’Malley. She asked the AG’s Office to tailor definitions of noncommercial purposes and commercial purposes to account for times when nonprofits are paid for their services and could fall under the CPA definitions of a commercial entity.
Written comments from Seattle-based nonprofit Code.org also raised concerns over if a nonprofit could be considered a commercial entity when it does services in exchange for money and asked for clarification about the classification of national nonprofits with connections to Colorado. Specifically, the nonprofit asked if the definition of “conducts business in Colorado” would mean a nonprofit has filed as a charity with the Colorado Secretary of State or if a national organization with remote employees in Colorado would fall under the definition.
The Colorado AG’s Office said it will consider both testimony and written feedback about the latest draft before it releases the next or final version of the rules.