With Colorado joining California as the only other state with rules implementing a comprehensive privacy law, businesses and practitioners have been anxiously watching to see whether a California-compliant privacy policy would also be compliant with the Colorado Privacy Act (“CPA”). And, as the Colorado Attorney General has made clear, interoperability is an important guiding principle in the Colorado rulemaking process. However, the Colorado Attorney General made equally clear that interoperability is just one principle—when the office believes there is a better way of handling an issue, it will diverge from other states’ practices. In the initial draft of the Colorado rules, it became clear that privacy policies are one such area. And while the revised draft of the Colorado rules take steps to try to increase interoperability, a comparison shows that Colorado is still taking a new, “purpose-driven” approach.
For years, most privacy policies followed the same core structure—what information is collected, how it is used, and how it is shared. These three types of disclosures were not linked to each other, so consumers were not entirely sure whether how a company may be using or sharing their specific information. For example, a consumer may know that a company collects contact information when they sign up for their newsletter and when they file a customer complaint. The consumer may also know the company sells information to third parties who will then market to them. But, the consumer doesn’t know what information is actually sold to those third parties.
With the advent of the California Consumer Privacy Act (“CCPA”), we saw a new structure begin to emerge that was information-driven. Under this model, businesses had to disclose to consumers what statutorily-defined categories of personal information it collects, whether they sold each category, and the categories of third parties to whom each category of information is sold. To comply with these requirements (and to ensure that consumers understood what the statutory categories of information included), many businesses used some version of the “California Chart”:
Going back to the original analogy, consumers would now know that the business sells “Identifiers,” which could include name and email address. But, they still would not know whether the business sells all names and email addresses regardless of whether they were collected for the newsletter or through customer complaints. The California Privacy Rights Act (“CPRA”) expanded the information needed in the California Chart, but it kept the same information-driven approach.
The draft rules for the Colorado Privacy Act struck a fundamentally different, purpose-driven approach. Under this approach, for each purpose of collection, companies will need to disclose what types of information are collected, whether that information is used for targeted advertising or sales, and the third parties to whom it is sold. To satisfy this new approach, businesses would need to use a new “Colorado Chart”:
Again using the same analogy, consumers can now see whether the information they provided for the newsletter is sold, and also whether the information the provided for customer service is processed differently. This approach is in many ways the crux of the Colorado privacy policy rule. Indeed, as the Colorado Attorney General has explained, consumers may very well have different expectations based on the context in which they provide their information. If a consumer provides their name to receive a company’s newsletter, it may be reasonable to expect that the company may use that data for targeted marketing or sales. But, if the consumer provides the same data to complain about a defective product, their expectation may differ.
After the initial draft of the Colorado rules were released, it was widely recognized that this purpose-based approach was different from the California information-based approach. However, when the Colorado Attorney General released revised rules, many commentators seemed to read them as meaning that the California Chart would satisfy Colorado requirements. But looking at the actual changes, it appears that the Colorado approach is still very much purpose-driven: the Colorado rules still require businesses to disclose the same set of information (i.e., the categories of information, whether it is used for targeted advertising and sales, and the categories of third parties to whom it is sold), but “linked in a way that gives Consumers a meaningful understanding of how their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose.” The California Chart—or any information-driven disclosure—simply does not link the disclosure in this manner because their disclosures are tied to the type of information and not to the purpose. While a company could theoretically alter the California Chart to break out purposes for each category of information, this exercise would likely be confusing.
Simply put, unless another revised draft of the Colorado rules change course, privacy policies appear to be one area where companies likely cannot find a “lowest common denominator” for uniform compliance across the board. Instead, it is an area where the “laboratories of democracy” are testing new approaches in an effort to find what strikes the best balance between protecting consumers and enabling businesses to function without overwhelming compliance costs. Companies should therefore resist the urge to believe that complying with the CPRA automatically means that they are complying with the CPA.
[View source.]
