Revisions To The Colorado Privacy Act Have Been Released: Prepare For The Upcoming Law
The Colorado Privacy Act (CPA) was signed into law on July 8, 2021, and has become a highly anticipated comprehensive data privacy law in the United States. Much like the California Consumer Privacy Act (CCPA), the CPA aims to provide certain protections for personal data for consumers, with the CPA set to go into effect on July 1, 2023. The CPA will apply to entities that do business in Colorado and either (a) process the data of at least 100,000 Colorado residents or (b) derive revenue or receive a discount on goods or services from selling personal data and process the data of at least 25,000 Colorado residents.
In anticipation of the upcoming effective date, the Colorado Attorney General has issued revisions to the CPA that further define the obligations that will be placed upon covered entities when the CPA goes into effect in 2023. Here are some of the most important changes to note while preparing for the CPA:
The Right to Limit Profiling
Under the CPA’s original statutory language, consumers were to be granted the right to opt out of profiling when such profiling produced “Legal or Similarly Significant Effects”. This right has been updated to only be granted to consumers when the profiling results in “provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” This updated definition makes clear that consumers’ right to limit profiling only arises in these situations.
Biometric Identifiers Definition
The draft rules have revised the definition of “Biometric Identifiers” to only include biometric information that can be used for the purpose of identifying a unique individual. Under this new definition, characteristics that are biometric in nature but that cannot be used to identify an individual will be exempt from being considered “Biometric Identifiers”.
Privacy Notice Requirements
Under both the original statutory language of the CPA and the revised rules, controllers are to be required to inform consumers of “substantive or material” changes to their privacy policies. However, under the revised rules, the definition of “substantive or material changes” has been revised to explicitly include changes to: “(1) categories of Personal Data Processed; (2) Processing purposes; (3) a Controller’s identity; (4) the act of sharing of Personal Data with Third-Parties; (5) the identity of Affiliates, Processors, or Third-Parties Personal Data is shared with; or (6) methods by which Consumers can exercise their Data Rights request.” This definition expands upon the previous definition of substantive or material changes.
Additionally, covered entities were previously going to be required to provide 15 days’ prior notice before effecting any substantive or material changes to their privacy policies. This 15-day requirement has since been removed.
Refreshing Consent
Previously, controllers who rely upon consumer consent for processing were to be required to refresh consent occasionally as needed. Under the revised rules, an explicit requirement to refresh consent every 12 months has been incorporated. This 12-month requirement applies in certain situations when the controller is processing Sensitive Data or pursuant to a Secondary Use, which are defined terms under the law.
What’s Next?
Following the publication of these draft rules on December 21, 2022, the Colorado Attorney General began accepting public comments on the revisions. The Colorado Attorney General’s office will accept public comments until convening a formal rulemaking hearing on February 1, 2023. Due to the short timeline, it is unlikely that the draft rules will see major revisions at the formal rulemaking hearing, and businesses should take steps to prepare for the rules as currently written.
Do you have questions about any upcoming state privacy laws? Reach out to a member of McGrath North’s Privacy and Cybersecurity Practice Group for practical guidance on the rapidly changing landscape of comprehensive consumer privacy laws in the United States.
Related Attorneys
