‘Tis the Season: Colorado Attorney General Releases New Draft CPA Regulations

WHAT IS THE AG FOCUSED ON NOW?

In soliciting additional comments to the revised CPA regulations, the Colorado AG is seeking specific input on: (1) clarifications to definitions; (2) use of IP addresses to verify consumer requests; (3) a universal opt-out mechanism; (4) streamlining the privacy policy requirements while maintaining their comprehensiveness; and (5) bona fide loyalty programs. The latest draft regulations include detailed questions from the AG to stakeholders on each of these topics.

WHAT CHANGED?

There seems to be something for everyone in the latest updates to the CPA regulations. Some changes will be heralded by privacy advocates, while others will make implementation easier for businesses. While we cannot document each of the many updates here, some of the more notable revisions include:

• Updates to Definitions. The newly proposed regulations contain many new and revised definitions. Some of the “new” definitions are simply restating the statutory definitions (g., for controller), while some are entirely new (e.g., a definition for “employee” and “employment records.”) Thankfully, there is also an update to the definition of “biometric identifiers” to make clear that “behavioral characteristics” are only “biometric identifiers” when “[p]rocessed for the purpose of uniquely identifying an individual.”

• Clarifications to Consumer Rights. The revised CPA regulations clarify that when a consumer makes an access request, they are entitled to receive “final Profiling decisions, inferences, derivative data, and other Personal Data created by the Controller which is linked or reasonably linkable to an identified or identifiable individual.” The revised regulations also require companies to “avoid incomprehensible internal codes” and to “include explanations” for the data that is provided in an access request. Both changes could dramatically increase the burden on businesses when responding to access requests. Compounding these changes, the “impossibility” exception to responding to consumer requests in Rule 4.09 was removed.

• Backup Systems. On the other side of the burden ledger, the proposed regulations make it clear that backup and archived systems are outside the scope of requests to correct (in addition to requests for deletion).

• Updates to Universal Opt-Out Compliance. The Colorado AG has moved up the date for publishing its initial list of approved opt-out providers from April 2023 to January 2023. A newly proposed regulation, however, would give businesses six months from the date an opt-out signal/provider is recognized by the AG to begin complying with that new signal or provider. This will be welcome news to many businesses.

• Streamlining Privacy Policy Disclosures. To the dismay of some, when the original CPA disclosures were released, businesses were confronted with yet another set of requirements as to how to disclose and describe the personal information they collect and use. The revisions, however, pare back some of the differences between the CPA and, for example, the California Consumer Protection Act (CCPA) requirements. Gone is the requirement that the privacy policy be organized by processing purposes, making it possible to harmonize CCPA and CPA requirements.

• Revisiting Consent. The original draft CPA regulations introduced the concept that businesses might have to refresh consumer consent on regular intervals but largely left to a business’ discretion what that interval should be. The new draft regulations now provide that consents must be refreshed when (1) the consumer has not interacted with the controller in the last 12 months and (2) the controller is processing sensitive personal information or is processing personal data for a secondary data use that involves profiling for a decision that could have a significant effect on the consumer. This significantly reduces the population of consumers from which consent must be refreshed. Moreover, the draft regulations include a safe harbor of sorts that where controllers give consumers the ability to update their own opt-out preferences at any time, controllers do not have to refresh consent.

• Updating Data Protection Assessment Requirements. The most recent draft CPA regulations substantially change the substance of what controllers must include in their data protection assessments. The good news is that most of these changes streamline the data processing agreement process, making it easier to conduct.

WHAT’S NEXT?

The public comment period on the latest draft regulations is open through January 18, 2023. There will then be a public rulemaking hearing on February 1, 2023. From there, we anticipate the Colorado AG will make final changes to the regulations before ultimately publishing them in advance of the July 1, 2023, effective date of the CPA.

Although the proposed Colorado regulations will not take effect until July 2023, many companies are working now to update their existing programs for CCPA compliance and may want to consider incorporating some of the key Colorado components as they do.

McDermott’s global privacy & cybersecurity team can help you integrate the Colorado requirements into your program, notices and processes. We can also help businesses submit comments to the new proposed regulations. For assistance, please contact your regular McDermott Will & Emery lawyer or the authors of this article.