Sixth in a series of articles on the Colorado Privacy Act draft rules.

There is a lot to know about Colorado’s draft rules regarding the Colorado Privacy Act, which was enacted in July 2021.

This alert takes a look at the Data Portability provisions of the draft rules.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November.

Additional details on the hearing schedule and provisions for providing comments can be found here.

Data Portability [echoing California Attorney General opinion on inferences]

• You are not required to provide Personal Data to a consumer in a manner that would disclose your trade secrets.
• Personal Data or Sensitive Data Inferences created using a trade secret algorithm or other mechanism must be disclosed to comply with a data portability request without disclosing the algorithm or mechanism itself.

Authentication

• You must establish reasonable methods to authenticate the consumer submitting a data right request and to authenticate the authority of an authorized agent submitting an opt-out request on behalf of a consumer.
• To determine whether a method is reasonable, consider the data rights exercised, the type, sensitivity, value and volume of Personal Data involved, and the level of possible harm that improper access or use could cause to the consumer submitting the data right request. Avoid methods that place an unreasonable burden on the consumer or authorized agent.
• Avoid requesting additional Personal Data to authenticate a consumer unless you cannot authenticate the consumer from the Personal Data already maintained by you.
• You may only use the authentication data for the purpose of authentication and delete it as soon as possible after.
• You cannot charge a fee for authentication (cannot require a notarize affidavit unless you pay for it).
• You don’t have to comply with a request if you cannot authenticate the consumer using commercially reasonable efforts. You need to inform the consumer that you weren’t able to authenticate and may request additional personal data if reasonably necessary to authenticate.

Responding to Requests

• If you decide not to act on a request you need to state and explain the legal basis for refusing to do so. For example: you need to explain why compliance is impossible, why you think the request is fraudulent or abusive and your reasonable efforts to authenticate, and why you were not able to do so.
• You must provide instructions on how to appeal the refusal.
• When you comply with a request you must notify all processors that process the personal data included in the request.
• You must maintain documentation related to this process.

Universal Opt-Out Mechanism (UOOM)

• Consumers may exercise their right to opt out of the processing of Personal Data concerning the consumer for purposes of targeted advertising or the sale of Personal Data through a user-selected universal opt-out mechanism (UOOM) that meets the technical and other specifications provided in the rules.
• The UOOM may be for for “all purposes” or for “specific purposes” or both.
• The rules contain requirements for designing a compliant UOOM.
• Consumer’s decision to adopt a tool that does not come pre-installed with a device, such as a browser or operation system, but is marketed prominently as a privacy-protective tool or specifically as a tool designed to exercise a user’s rights to opt out of the processing of Personal Data shall be considered the consumer's affirmative, freely given, and unambiguous choice to use a UOOM.

Obligations regarding UOOM

• When processing a UOOM, you may not require the collection of additional Personal Data beyond that which is strictly necessary to confirm a consumer is a resident of Colorado or determine that the mechanism represents a legitimate request to opt out of the processing of Personal Data.
• You may provide the consumer with an option to provide additional Personal Data only if it will extend the recognition of the consumer’s use of the UOOM across platforms, devices or offline. For example, you may give the consumer the option to provide their phone number or email address so that the UOOM or signal can apply to offline sale of Personal Data or link the consumer’s opt-out choice across devices.
• You may not require a consumer to log in or otherwise authenticate themselves as a condition of recognizing the consumer’s use of the UOOM.
• You may display in a conspicuous manner if it has processed the consumer’s opt-out preference signal (in CPRA this is mandatory).

Starting July 1, 2024:

• If you receive an opt-out request through a UOOM you must treat such as a valid request to opt out of the processing of Personal Data for purposes of targeted advertising, sale of Personal Data, or both, as indicated by the mechanism, for the associated browser or device, and, if known, for the consumer.
• After receiving a valid opt-out request through the use of a UOOM, you must continue to treat the browser, device, and consumer as having exercised opt-out rights until the browser, device, or consumer overrides the opt-out, as specified in the rules.

Opt in after opt out:

• You may not interpret the absence of a UOOM signal after the consumer previously utilized a UOOM as consent to opt back in.
• The Colorado Department of Law shall maintain a public list of UOOMs that have been recognized to meet the standards of the rules. The initial list shall be released no later than April 1, 2024 and shall be updated periodically.

Next Steps:

• The draft regulations are open for public comments through the comment portal available at coag.gov/CPA during the comment period between October 10, 2022, and February 1, 2023. Comments submitted by November 7, 2022, will inform the stakeholder meetings; comments submitted by January 18, 2023, will considered for any proposed revisions presented at the hearing.
• The Department will host three (3) virtual stakeholder meetings to discuss the CPA proposed draft rules.

[View source.]