The good news for those of us aiming to comply with the now-handful of state privacy laws is that on September 30, Colorado Attorney General Phil Weiser released the Colorado Privacy Act’s draft regulation.
The draft covers nine areas:
- General applicability
- Definitions
- Consumer disclosures
- Consumer personal data rights
- Universal opt-out mechanisms
- Controller duties
- Consent
- Data protection assessments
- Profiling
The (sort of) bad news: The regulations? They thick. It’s going to take some time to sort through the 31 pages of prescriptive rules. But here’s a high-level look at the eyebrow-raising provisions so far, as told to me by Husch Blackwell's David Stauss and Future of Privacy Forum's Keir Lamont.
Privacy policies are about to get (even) longer
This one could be annoying. The draft regs require privacy policy disclosures not on the personal information your company collects, as we’ve become accustomed to, but on your purposes for collecting the data you’ll process.
The draft regs say it privacy notices for consent must include “a comprehensive description of the controller’s online and offline personal data processing practices,” including, among others:
- The processing purpose is “described in a level of detail that gives consumers a meaningful understanding of how their personal data is used and why their personal data is reasonably necessary” for the processing.
- If the processing includes targeted advertising or profiling.
- The categories of personal data processed for each processing purpose, and whether sensitive or children’s data is processed.
- The third parties the controller is sharing or selling personal data to, in detail, and how that third party might process personal data. That includes data brokers.
- Instructions on opt-outs.
- A description of how the controller authenticates a consumer’s identity in the case of a DSAR.
And the list goes on.
David Stauss, a privacy attorney at Husch Blackwell, tracks state privacy laws closely. He said the length of the regulations, in general, surprised him. But the rules around privacy policies and the fact the disclosures must include “use cases” creates some problems in an already problematic area: concise privacy policies that use laymen’s terms.
“I’m not aware of any other law or regulation that has addressed it this way,” he said of the privacy notice mandates. “It’s something we’re going to have to think through as a privacy community, how we tackle this. I think a lot of us were optimistic we’d have the leeway to synthesize California, Colorado, Connecticut, Virginia, and Utah disclosures, so we could maybe not make our privacy policies 20-30 pages long.”
DPAs ‘bout to get heavier, longer
Stauss said he was also surprised by the draft’s scope on data protection assessments, particularly around processing. They’re … not light. The draft regs say DPAs, which must be a “genuine, thoughtful analysis,” must involve all the relevant parties from a controller’s structure and, “where needed, relevant external parties.” The DPA has to hit on 18 different topics, including:
- The processing activity
- The purpose of the processing
- Types of personal data processed
- Names and categories of third-party recipients
- Consumer expectations
- Risks to consumers
Also, controllers have to complete the DPA before initiating processing, and you’ve got to show the Colorado Attorney General the documents, if the office asks you to, within 30 days of the request.
Stauss said banning companies from starting any processing until it undergoes extensive review is going to be a tough pill for companies to swallow and potentially a bottleneck.
“How do we get this done in a practical way that’s cost efficient, and what are we going to put into these assessments that really counts as a risk to consumers?”
The emphasis on detailing risks related to processing deviates from what we’ve seen on state law DPA DPA requirements so far. It doesn't map to California, for example.
“A sell is one thing, but do you have to go through this multi-factor analysis to justify all the cookies on your website?” Stauss wondered. “Because that’s profiling, and that’s high risk processing activity under the regulations”
Sensitive data’s getting complicated
The draft regulations capture consent requirements for not only traditional categories of sensitive information, but also “sensitive data inferences,” defined as “inferences made by a controller based on personal data, alone or in combination with other data” that could indicate a person’s race, ethnicity, religious beliefs, mental or physical health, sex life or sexual orientation, or citizenship status.
The regs continue, “While web browsing at a high level may not be considered sensitive data, web browsing data which, alone or in combination with other data, create a profile that indicates an individual’s sexual orientation and is considered sensitive data” under the law.
In addition, controllers can process sensitive data inferences from those over 13 years old without consent but must delete sensitive data inferences “within 12 hours of collection or of the completion of the processing activity, whichever comes first.”
The regulations also state that if a controller has collected sensitive data prior to July 1, 2023, and hasn’t obtained valid consent to process it, the controller has to obtain that consent by January 1, 2023, to continue to process the sensitive data.
What’s next
The Colorado Attorney General’s Office will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022, followed by a public hearing on February 1, 2023. From there, Weiser’s office has 180 days to file its final rules with the Colorado Secretary of State.
Here’s a resource on what the Colorado Privacy Act looks like, if you need a brush-up, and click here to see how TerraTrue can help you comply with it before July 2023.
