Colorado Attorney General Phil Weiser has published revisions to the Colorado Privacy Act rules, as well as some additional questions for public feedback.

His questions include:

• What are the pros and cons of using IP addresses to authenticate the location of consumers opting out of the sale of Personal Data or use of Personal Data for Targeted Advertising through a Universal Opt-Out Mechanism?
• Under the CPA, why and when should Controllers be able to prevent a consumer from obtaining the benefits of a bona fide loyalty program despite that consumer’s decision to opt out of the sale of Personal Data, or Processing of Personal Data, for Targeted Advertising or Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer?

Some key points:

Transparency

• To match California (and for that matter, Europe), Colorado privacy notice disclosures will no longer need to be purpose based. Instead, the regulations require (like California) that "the processing purpose and type of Personal Data Processed be linked in a way that gives Consumers a meaningful understanding of how their Personal Data will be used."
• Biometric identifiers: The definition was amended to state that there needs to be "characteristics that can be Processed for the purpose of uniquely identifying an individual."
• "Public information" inferences made exclusively from multiple sources of publicly available information were removed from the definition.
• Transparency requirements apply not only to privacy notices, but also to all "notifications and other communications."
• The disclosures have to be "Straightforward and accurate, and must not be written or presented in a way that is unfair, deceptive, false, or misleading." (Hello Federal Trade Commission.)
• A comprehensive description of the Controller’s online and offline Personal Data Processing practices, linked in a way that gives Consumers a meaningful understanding of how their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose.
• Substantive or material changes may include, but are not limited to, changes to: (1) categories of Personal Data Processed; (2) Processing purposes; (3) a Controller’s identity; (4) the act of sharing of Personal Data with Third Parties; (5) the identity of Affiliates, Processors, or Third Parties that Personal Data is shared with; or (6) methods by which Consumers can exercise their Data Rights request.
• If the substantive or material change to a Processing purpose disclosed in a revised privacy notice constitutes a secondary use, a Controller must obtain Consent from a Consumer before processing previously collected Personal Data for a secondary use. Disclosure of the new processing purpose in the privacy policy alone does not constitute valid Consent. (Hello FTC 2012 paper and GDPR Article 6.4.)
• The fact that a design or practice is commonly used is not, alone, enough to demonstrate that any particular design or practice is not a Dark Pattern.

Right of Access

• The rules echoes the California Attorney General opinion on this matter regarding the materials provided in response: "Specific pieces of Personal Data includes final Profiling decisions, inferences, derivative data and other Personal Data created by the Controller which is linked or reasonably linkable to an identified or identifiable individual."
• It also echoes the rest of same California Attorney General opinion, which said that you don't need to reveal your trade secrets in the process of replying to an access request, but that you do need to tailor your request (redact? figure out a nonportable format?) so that you can reply without compromising the trade secret.
• The response must avoid incomprehensible internal codes and include explanations - echoing many GDPR guidance papers, including some from Information Commissioner's Office and European Data Protection Board.

Right to Correction

• If a Controller or Processor stores any Personal Data on archived or backup systems, it may delay compliance with the Consumer’s correction request with respect to an archived or backup system until that system is restored to an active system or is next accessed or used for a sale, disclosure or commercial purpose.
• If a Controller denies a Consumer’s correction request based on the Controller’s determination that the contested Personal Data is more likely than not accurate based on the totality of the circumstances, the Controller must describe in documentation, the Consumer’s requested correction to the Personal Data, any documentation requested from and provided by the Consumer in support of the correction request and the reason for the Controller’s determination. (This echos the CPRA regs.)

Universal Opt-Out Mechanism

• Must allow a Consumer to express their choice to opt out of either all purposes or one specific purpose.
• The Colorado Department of Law will allow Controllers six (6) months to recognize Universal Opt-Out Mechanisms added to the public list of accepted mechanisms.

Data Minimization

The requirement to obtain consent to process biometric identifiers or personal data generated from a photo or audio or visual recording every year has been removed.

Duty of Care

• Personal Data must be Processed in a manner that ensures reasonable and appropriate administrative, technical, organizational and physical safeguards of Personal Data collected, stored and Processed. (Hello Article 30 GDPR.)
• When determining reasonable and appropriate safeguards, Controllers should consider: (1) Applicable industry standards and frameworks; (2) The sensitivity and amount of Personal Data; (3) The original source of Personal Data; and (4) The risk of harm resulting from unauthorized or unlawful access, use, or degradation of the Personal Data.
• Reasonable and appropriate administrative, technical, organizational and physical safeguards must: (1) Protect against unauthorized or unlawful access to or use of Personal Data and the equipment used for the Processing, as well as against accidental loss, destruction, or damage; (2) Ensure the confidentiality, integrity and availability of Personal Data collected, stored and Processed; (3) Identify and protect against reasonably anticipated threats to security or the integrity of information; and (4) Ensure compliance with data security policies by the Controller and Processors.

Consent

• Controllers that do not obtain valid Consent prior to July 1, 2023, to process data which requires consent must obtain valid Consent, by January 1, 2024, to continue to Process such personal data.
• Controllers may present Consent to Process Personal Data for multiple related or similar Processing purposes with a single Consent option, as long there is also an option for more granular Consent.
• Any interface used by a Controller to request a Consumer’s consent must contain the disclosures required, but this can be achieved through a link as long as it clearly states the title and heading of the webpage section containing the relevant disclosures. (Hello California Notice at Collection and GDPR first layer notice.)
• Example: A product recall email list cannot be used for a secondary purpose of providing promotional materials without consent. (Hello: GDPR and Twitter FTC consent order re: mobile number uses.)
• You can't ask for consent (after opt out) using schemes that cause consent fatigue, such as interface dominating cookie banners, high frequency requests, cookie walls, pop-up windows, pop-up banners, or other web interface displays that degrade or obstruct the Consumer’s experience on the Controller’s web page or application.
• Refreshing consent: You need to refresh consent after a year of no interaction if you are processing sensitive data or data for a secondary use which involved profiling that has significant consequences. Controllers are not required to refresh Consent under part A of this section where a Consumer has access and ability to update their opt-out preferences at any time through a user controlled interface

DPIAs

Content of the DPIA is revamped and they now need to contain the following:

• A short summary of the Processing activity.
• Categories of Personal Data to be Processed.
• The context of the Processing activity, including the relationship between the Controller and the Consumers whose Personal Data will be Processed and the reasonable expectations of those Consumers.
• The nature and operational elements of the Processing activity. Consider the type, amount and sensitivity of Personal Data Processed, the impacts that operational elements will have on the level of risk presented by the Processing activity and any relevant unique relationships.
• Operational details about the Processing, including planned processes for Personal Data collection, use, storage, retention and sharing.
• Specific types of Personal Data to be processed.
• The core purposes of the Processing activity, as well as other benefits of the Processing that may flow to the Controller, Consumer and other expected stakeholders.
• The sources and nature of risks to individual Consumers and broader Consumer groups posed by the Processing activity.
• Measures and safeguards the Controller will employ to reduce the potential risks identified.
• A description of how the benefits of the Processing outweigh the risks identified as mitigated by the safeguards identified.
• Relevant internal actors and external parties contributing to the data protection assessment.
• Any internal or external audit conducted, including the name of the auditor, the names and positions of individuals involved in the review process and the details of the audit process.
• Dates the data protection assessment was reviewed and approved, and names, positions and signatures of the individuals responsible for the review and approval.

Profiling

• The trigger for the right to opt out of Profiling is when the profiling is done in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services.
• Controllers should consider both the type and degree of potential harm to Consumers when determining if Profiling presents a reasonably foreseeable risk of “other substantial injury” (which is one of the triggers for a DPIA). For example, a small harm to a large number of Consumers may constitute “other substantial injury.”