Colo. AG Office Revises Privacy Draft Rules
Revised Colorado Privacy Act (CPA) draft rules make some proposed requirements easier and others harder for data controllers, business privacy attorneys wrote last week. The Colorado attorney general’s office is seeking comments by Jan. 18 on revised draft rules released Wednesday. “Some changes will be heralded by privacy advocates, while others will make implementation easier for businesses,” said McDermott Will attorneys.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The revisions modify September draft rules (see 2210040016). The AG office will take oral comments at a Feb. 1 hearing. Proposed rules are scheduled to take effect in July. “We are taking an iterative approach to the CPA rulemaking process and welcoming public input on revisions we make to the proposed draft rules during the rulemaking period,” the AG office wrote. It asked specific questions about definitions, using IP addresses to authenticate opt-outs, universal opt-out mechanisms, controller obligations and loyalty programs.
Two “changes could dramatically increase the burden on businesses when responding to access requests,” McDermott attorneys wrote. One change clarifies that consumers should receive “final Profiling decisions, inferences, derivative data, and other Personal Data created by the Controller which is linked or reasonably linkable to an identified or identifiable individual.” Another requires companies to include explanations and avoid “incomprehensible internal codes.” Plus, the AG office also removed an “impossibility” exception, said the lawyers: “On the other side of the burden ledger, the proposed regulations make it clear that backup and archived systems are outside the scope of requests to correct” or delete.
“The changes are mostly controller-friendly with modifications to the privacy notice, consent, and data protection assessment provisions likely to facilitate compliance,” Husch Blackwell attorney David Stauss said. One big one is that the proposed rules “no longer require that privacy notices be drafted around processing purposes,” he said. Also, the AG office clarified that “the prohibition on dark patterns applies when controllers are obtaining consumer consent and not generally to all user interfaces,” he said.
Revisions “represent a fine-tuning as opposed to a complete overhaul,” blogged Ballard Spahr lawyers. “Some of these changes -- such as additional flexibility on Data Protection Assessments -- will likely be welcome news to businesses. Others -- such as the definitions of commercial product or service and noncommercial purpose -- may be less welcome by non-profit and governmental entities hoping to avoid the CPA’s application.”
The California Privacy Rights Act takes effect Jan. 1, though rules may not take effect until April or later (see 2212160040). The Virginia Consumer Data Protection Act also takes effect Jan. 1.
“Service providers, contractors and data collectors operating in California and Virginia, must prepare for imminent changes,” cautioned Warner Norcross: Both state laws “require noteworthy changes to a business’s privacy policy disclosures with respect to the processing of consumers’ personal information” and to contracts with others.