Across the Finish Line: Final Rules and Regulations Issued under the Colorado and California Privacy Laws

It’s been a busy season for U.S. privacy regulators, particularly in Colorado and California, where final rules and regulations have recently been issued under the states’ respective privacy laws. In Colorado, the Attorney General’s Office filed the finalized Colorado Privacy Act Rules with the Colorado Secretary of State’s Office, and those rules will go into effect on July 1, 2023.

Meanwhile, in California, the Office of Administrative Law (OAL) approved the first substantive set of regulations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The approved California regulations have not changed substantively since the final proposed regulations were submitted to the OAL in February 2023, which we covered in our previous client alert. The newly approved California regulations are effective immediately, but enforcement of the approved regulations will not begin until July 1, 2023, the same date that the Colorado Privacy Act and its accompanying rules go into effect.

While it is evident that the Colorado regulator took the California regulations into account, the Colorado rules are by no means a mirror image of the California regulations. In this alert, we examine key compliance areas under the Colorado rules and the California regulations, flagging similarities and differences between the two so that companies subject to both laws can consider how to comply efficiently with both sets of requirements.

Privacy Policies and Other Disclosures

The Colorado rules and the California regulations both include lists of disclosures that must be provided in a privacy policy. While the lists of required disclosures overlap to a large degree, there are differences that will likely require covered businesses (called “controllers” under the Colorado law) to adjust their privacy policies prior to the July 1, 2023 enforcement deadline.

A notable difference is the emphasis on “processing purposes” under the Colorado rules. While the California regulations require a privacy policy to identify the “specific business or commercial purpose” for collecting, selling, sharing, and/or disclosing personal data, the Colorado rules appear to mandate even more specificity regarding processing purposes, stating that information provided in a privacy policy must be “linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that data . . . for a specified purpose.” In addition, businesses must not identify one broad purpose to justify numerous processing activities, yet they should avoid specifying so many purposes that the purpose becomes unclear or uninformative.

Like the California regulations, the Colorado rules require privacy policy disclosures regarding, for example, the sale of personal data, use of personal data for targeted advertising (called “sharing” under the California law), disclosures of personal data to third parties, privacy rights and how to exercise them, and privacy request authentication processes.

The California regulations and the Colorado rules also both require specific disclosures related to loyalty or similar benefits programs (called “financial incentives” under the California law and “Bona Fide Loyalty Programs” under the Colorado law). There are some differences between the two sets of required disclosures, but there is also a significant amount of overlap, so a combined disclosure should be fairly easy to achieve.

Consent

The Colorado rules include several sections dedicated to consent, including when and how businesses must obtain consent, what constitutes valid consent, avoiding dark patterns that subvert user autonomy, and handling scenarios such as consent withdrawal, consent after opt-out, consent for children, and consent refresh. Notably, under the Colorado rules, if businesses do not obtain valid consent prior to July 1, 2023, and if they intend to continue to use, store, or otherwise process sensitive data collected prior to this date, they must obtain valid consent (as detailed under the Colorado Privacy Act and the Colorado rules) by July 1, 2024, to continue to process the previously collected sensitive personal data. Moreover, when a consumer has not interacted with a business in the prior 24 months, the business must refresh consent to continue processing sensitive personal data or to continue processing personal data for a secondary use, if the secondary use involves certain types of profiling.

The California regulations likewise highlight consumer consent, primarily in the context of opting into “sale,” “sharing” (for cross-context behavioral advertising), and certain uses of sensitive personal data, as well as consent for children. For example, the California regulations specify that there must be “symmetry in choice,” e.g., a choice to opt in to the sale of personal data that provides only the two options “Yes” and “Ask me later” is not symmetrical because there is no option to decline the opt-in. Like the Colorado rules, the California regulations prohibit obtaining consent through the use of dark patterns. As discussed below, both the Colorado rules and the California regulations require consent prior to processing personal data for a secondary use.

Secondary Use

The Colorado rules and the California regulations place new limits on the “secondary use” or “incompatible” use of personal data. Under the California regulations, a business that intends to use personal data for an additional purpose that is incompatible with the disclosed purpose(s) for which the personal data was collected must obtain consent. Likewise, under the Colorado rules, a business must obtain consent before processing personal data for purposes that are not compatible with the specified processing purposes disclosed on or after July 1, 2023. Both the Colorado rules and the California regulations provide factors for businesses to consider when determining whether an additional processing purpose is reasonably compatible with the original specific purpose(s).

Universal Opt-Out Mechanisms

Under the California regulations, it is mandatory for businesses that “sell” or “share” personal data to recognize and honor a consumer’s universal opt-out preference signal, e.g., a preference signal sent by web browsing software like the Global Privacy Control. Colorado also gives consumers the ability to use a universal opt-out mechanism to communicate their opt-out choice(s) to multiple businesses using one method, and the Colorado rules provide basic technical specifications and create standards governing the development and implementation of opt-out mechanism requirements.

Unlike the California regulations, however, which generally require businesses to honor any opt-out preference signal sent “in a format commonly used and recognized by businesses,” the Colorado rules provide businesses with more specificity regarding which opt-out mechanisms they will be required to honor. Per the Colorado rules, the Colorado Department of Law will maintain a public list of universal opt‑out mechanisms that have been recognized to meet the standards under the final rules. The initial list will be released no later than January 1, 2024. By July 1, 2024, businesses must be capable of recognizing any universal opt-out mechanism reflected in the initial public list. Thereafter, businesses must be capable of recognizing any universal opt-out mechanism reflected in any periodically updated public list, provided the business has had at least six months’ notice of the addition of new mechanisms.

Sensitive Personal Data

The California and Colorado laws differ in a number of ways concerning their treatment of sensitive personal data, which is defined differently under each law. Notably, the Colorado law requires opt-in consent to process sensitive personal data, while the California law provides consumers with the right to opt out of certain uses and disclosures of their sensitive personal data. In addition, per the Colorado rules, sensitive personal data now includes “Sensitive Data Inferences,” which are “inferences made by a Controller based on Personal Data, alone or in combination with other data, which are used to indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.”

The Colorado rules also require a business to delete, permanently anonymize, or otherwise render inaccessible sensitive personal data if the business no longer has a valid consent to process that data.

Data Minimization

Both the Colorado rules and the California regulations include the principle of data minimization, which requires businesses to determine and collect only the minimum amount of personal data that is necessary and proportionate to the specified processing purpose(s).

The Colorado rules delve into further detail on data minimization requirements, specifying, for example, that Biometric Identifiers, as well as a photograph of a person or an audio or voice recording containing the voice of a person, or any personal data generated therefrom, must be reviewed and assessed at least once a year to determine if its storage is still necessary, adequate, or relevant to the express processing purposes. Such an assessment must be documented. (Note: “Biometric Identifiers,” a newly defined term under the Colorado rules, include “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed for the purpose of uniquely identifying an individual,” e.g., a fingerprint, voiceprint, or facial mapping.)

Data Protection Assessments

The Colorado Privacy Act requires businesses to conduct and document data protection assessments before undertaking certain processing activities that present heightened risks of consumer harm. The Colorado rules clarify the scope and requirements of data protection assessments, including guidance on scope, stakeholder involvement, content, timing, and responding to requests from the Colorado Attorney General.

We have yet to see draft regulations regarding similar assessments under the California law. Now that the first set of California regulations has been finalized, the California Privacy Protection Agency has recently commenced rulemaking for the next set of topics, which include cybersecurity audits and privacy risk assessments.

Profiling

The Colorado rules provide detailed guidance on profiling and related obligations under the law, including considerations for opt-out transparency and notice, profiling-related data protection assessments, and automated decision-making. The California Privacy Protection Agency is currently working on regulations regarding profiling and automated decision-making but has yet to release a draft of those regulations.

We’ll dig into the details even more in our upcoming May 11, 2023 webinar on the new Colorado rules and California regulations. We hope to see you there!