Is the Colorado Privacy Act Undergoing a Makeover?

In December of 2022, the Colorado Attorney General's Office (CAG) published a revised draft of rules contained in the Colorado Privacy Act (CPA). These rules have undergone several draft versions between September of last year and now, with stakeholder sessions being held, public comments being accepted, and a public hearing that was held on the 1st of February.

With its effective date, July 1st, approaching fast, the CPA’s proposed draft rules came in support of making the law both a significant part of the U.S. privacy landscape, and an interoperable law with international laws and jurisdictions. Added to this is the fact that some of its provisions, such as the requirement for a Data Protection Impact Assessment, make it a noteworthy example to, for example, California’s CCPA, which may consider the Colorado text for future regulations.

Throughout the many changes, the draft rules did not bring dramatic changes, but did however include key revisions that your organization should be aware of and prepare for, ahead of the July 1st deadline. To give you a hand, we have made a list of some of the key takeaways and changes made:

1. Privacy notices: these no longer have to be drafted around processing purposes, as was the case initially. This change favors data controllers who no longer have to disclose specific details around each processing purpose, but it also helps make the CPA easier to interoperate with other US state privacy notice requirements. 
2. Consent: unless a data subject has not interacted with you in the prior 12 months, you no longer need to refresh consent. Consent need also not be refreshed where the data subject has both the access and the ability to update their preferences at any time through an interface, and consent for processing biometric identifiers no longer has to be obtained annually. However, you are still required to review the data at least once every year to determine if it is still necessary, adequate and relevant to the initial purpose of collection.
3. One other noteworthy change, or rather correction of what may have been a typo, is the deadline for obtaining retroactive consent. Initially, it was stipulated that this would need to be obtained six months prior to the effective date of the CPA, however with the new draft rules this has been changed to January 1st, 2024.
4. Sensitive data: sensitive data inferences will require consent only if the data is not deleted after 24 hours, instead of the initial 12 hours.
5. Data Protection Impact Assessment: DPIA topics that have to be considered by your organization have been reduced to 13, instead of the initial 18. In actual fact, the 18 topics have been rewritten into 13, outlining pretty much the same points for consideration, such as personal data categories to be processed, the processing activity context, or the purposes of the processing activity.
6. Data Subject Rights: Some of the data subject rights have been revised. For the Right to Opt Out the method is no longer required in the privacy notice, for example, while for the Right to Correct, archives or backup systems are no longer covered unless the system becomes active or is next accessed for commercial purposes.
7. New definitions: The draft rules now offer a definition for ‘commercial products or services,’ namely a product or service bought, sold, leased, joined, subscribed to or delivered in exchange for monetary or other valuable consideration in the course of a controllers’ activity. There is also a new definition for what ‘publicly available information’ means which broadens the types of data excluded, and with the definitions for ‘employee,’’employer,’ and ‘employment records’, a gap will be filled as to what types of data maintained for employment record purposes is not covered.