The Colorado Attorney General’s Office has published its final rules for the Colorado Privacy Act, the state’s upcoming consumer data privacy law that goes into effect July 1.
While the final draft was posted at the end of February, the rules got final approval March 15 following review by the AG’s Office which must publish a general opinion regarding the legality and constitutionality of any rules from a state agency (including itself) before implementation.
The long-awaited rules lay out how the law will apply to Colorado consumers and businesses that collect and control data and narrow in definitions.
“I am grateful for the dedication and engagement from the public throughout this rulemaking process,” said Attorney General Phil Weiser in a press release. “Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information.”
Since the fall of 2022, Colorado’s AG Office, which was charged with the implementation of CPA, held numerous stakeholder meetings and published several draft rules. The final rules are the fourth draft of the act.
Colorado is one of five states to pass a consumer data privacy law after California enacted the California Consumer Privacy Act in 2018 followed by Virginia, Utah and Connecticut. Congress is also currently considering a national data privacy law.
Law Week caught up with attorneys at Hogan Lovells’ Denver office to learn more about the final rules, their application and how Colorado compares to the patchwork of state-level legislation and international laws.
CPA was created in 2021 by Senate Bill 21-190. The law established personal data privacy rights for Colorado residents and set new obligations for companies that hold and collect personal data (“controllers”) or process someone’s personal data (“processor”). Under the law, Colorado consumers have the right to opt out of the processing of their personal data, access their data, correct or delete their data and obtain a copy of their data.
It applies to companies and organizations that hold or process personal data of 100,000 or more consumers per year or sell data of 25,000 or more consumers. It doesn’t apply to governments, state higher education institutions, employment records or data governed by other state and federal laws.
Companies that hold or process data are required, among other things, to run data protection assessments, notify consumers if their data will be sold or shared with other parties, allow consumers to opt out of data collection across organizations and provide consumers their personal data on request.
Only state prosecutors (the AGs Office or district attorneys) can enforce CPA and breaking the law is considered a deceptive trade practice.
Ana Gutiérrez, a partner at Hogan Lovells Denver office with a background in regulatory matters, explained that the AG’s office is responsible for filing its opinion on the rules with the Colorado Secretary of State and the adopted rule will likely be published in the March 25 Colorado Register.
The Most Recent Changes
Hogan Lovells associate Sophie Baum has followed CPA throughout its rulemaking process after relocating to the firm’s Denver office about a year ago from Washington D.C. Baum works in state and international privacy and cybersecurity law. She said Hogan Lovells primarily represents organizations that fall into the controller and processor categories of CPA, such as companies and nonprofits.
The final version of the rules have a few large changes to controller obligations, according to Baum.
One significant change is the requirement that controllers receive consent to process a consumer’s sensitive personal data (defined as data that individually or with other data indicates someone’s race, ethnicity, religious beliefs, health conditions, sex life, sexual orientation or citizenship) or get additional consent if they plan to process sensitive data in a different context than originally intended and disclosed.
Another major update is a new requirement for controllers to disclose the names of third parties who purchase data when obtaining initial consumer consent.
“They have to disclose, at the time that they consent, the names of the third parties receiving sensitive data through a sale,” explained Baum. “That has a couple of impacts, for example, it could sort of ‘out’ certain companies as purchasers of this information…it also kind of scopes in different categories of third parties that might be acquiring information. And so it applies both to transfers to affiliates and to third parties.”
Another new requirement that has opened some questions, according to Baum, are data protection assessments that concern data processing that could be of heightened risk to consumers. Baum said there are some remaining gray areas about if the requirements apply to activities before July 1 and some questions about specific activities that could fall under the requirement.
“In general, I think we probably will be expecting guidance from the Attorney General’s Office,” she added regarding the data protection assessments.
How Does Colorado Measure to Other States?
With concerns about digital data on the rise, lawmakers are taking an increased interest in passing state-level legislation around data rights. Baum said several things stick out about Colorado’s law and rulemaking process.
“A lot of the language is very similar to what you see in the GDPR,” said Baum, who added that with the exception of California, U.S. states have primarily modeled their rules off of the 2016 General Data Protection Regulation passed in the European Union.
She noted that Colorado and California have been the only two states so far to implement a rulemaking process. Colorado is also the first state to not exempt nonprofits from the law.
Baum added that Colorado is at the forefront of certain parts of data privacy matters including universal opt-outs.
“Something that Colorado is really at the forefront of is pushing something that we see in the California law … it’s called a universal opt-out mechanism,” said Baum. “Basically, it’s an automatic signal that a consumer could use in order to opt out of certain things like targeted advertising or sale of their data.”
The Colorado AG’s office indicated plans to publish a list of technologies that can be considered universal opt-out mechanisms and Baum believes that will provide increased clarity for consumers, businesses and other states that are grappling with opt-out requirements.
According to a press release by the Colorado AG’s office, CPA makes Colorado the first state to enact automated decision-making regulations, like profiling, in a state privacy law.
With CPA going into effect in just over three months, Baum recommends that Colorado organizations prepare for its enforcement.
She said the first step of that for organizations is understanding whether or not the law applies to them. Organizations should look at what data they collect or process and for how many people. Since CPA also exempts certain organizations and data types, they should factor that in as well.
Baum says the next step for many organizations will be taking stock of their data collection process. That can include understanding what type of data is collected, where it comes from, how it’s used and where it might be transferred.
“Making sure you have a really good understanding of the data flows that part of your business processes is going to be really key,” Baum explained. “I think what we’ve seen in Colorado, especially with these rulemaking processes, is an appetite to make sure that the law is clear and kind of signaling that it will be enforced.”
She added that CPA’s obligations for data holders aren’t simple and organizations should carefully review what’s expected of them to be in compliance.