The Colorado Privacy Act (CPA), one of a handful of state privacy laws set to take effect in 2023, is coming into greater focus with the release of proposed draft rules.
Last year, Colorado became the third state to pass comprehensive privacy legislation. The Colorado Attorney General’s office recently published much-anticipated draft CPA rules as part of the formal rulemaking process.
There’s a lot to consider in the 38 pages of text, including new definitions of key terms, clarification of controller obligations and consumer data rights, and technical specifications about global privacy controls.
Didomi breaks down the CPA rules that we’re keeping a close eye on heading into an eventful year for digital privacy.
How we got here with the CPA
The CPA was signed into law on July 8, 2021, with an effective date of July 1, 2023. Part of the State of Colorado’s Consumer Protection Act, the CPA imposes legal obligations on covered businesses that handle the personal data of Colorado residents.
While the broad outline of CPA regulations has been in place for over a year now, businesses have been seeking clarification on many of the specifics. The Colorado AG’s Office has been busy behind the scenes working on CPA rulemaking, and on October 10, it published proposed draft rules.
On its Byte Back privacy and data security blog, law firm Husch Blackwell describes the draft rules as long, complex, and part of a robust rulemaking process that makes clear “the Office intends to make its mark on U.S. privacy law moving forward.”
CPA and Global Privacy Controls
The CPA has significant overlap with other U.S. state privacy laws, but also departs in some ways from the regulatory approaches being taken in states like California, Virginia, and Utah.
Among the unique provisions of the CPA is a first-of-its-kind rule requiring companies to honor universal opt-out mechanisms (UOOMs). The draft rules explain that UOOMs are intended to give Colorado consumers a "single, simple technological mechanism” for communicating to multiple companies their right to opt-out of personal data processing, instead of making individual opt-out requests with each company.
The draft rules go into detail about UOOM technical specifications, notice and choice provisions, and default settings. But a term that’s not mentioned in the UOOM provisions—Global Privacy Control (GPC)—could be the most important.
GPC is a browser tool that communicates a user’s privacy preference to all websites they visit. When installed and turned on, GPC sends universal opt-out signals that tell companies not to sell or share their the user’s data. Several browsers and browser extensions are equipped to send the GPC signal, including Brave, Firefox, DuckDuckGo, Abine, and Privacy Badge, and more GPC tools are in development.
Although the CPA does not require companies to use GPC, it is ultimately the only technology that meets CPA UOOM requirements. Reading between the lines, the Colorado AG is effectively telling companies that they should be prepared to recognize and honor GPC signals.
All businesses subject to the CPA are subject to the UOOM rule. The CPA effective date for allowing consumer opt-outs through UOOMs is July 1, 2024.
Consent after GPC opt-outs
A major difference between the European General Data Protection Regulation (GDPR) and U.S. state privacy laws is that the GDPR requires opt-in consent, while U.S. laws place the burden on consumers to opt-out of data processing.
But the shift to GPC signals in Colorado as well as California, which in July 2021 said that businesses must honor GPC as a legitimate “do not sell” request, mean that the U.S. privacy model could be moving toward a European model.
Didomi discussed this development as one of our takeaways from the IAPP Privacy. Security. Risk. 2022 conference in Austin, Texas. We wrote that, as UOOMs become more widely adopted, it will have a strong impact on organizations’ data collection practices, and they will need to implement solutions that re-engage users and collect consent when possible.
The concept of “consent after opt-out” is mentioned in the CPA’s draft rules. According to the Colorado AG:
“If a Controller wishes to proactively obtain Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out of Processing for that Purpose, a Controller shall provide a link or similar mechanism on its website or application that enables the Consumer to provide Consent.”
To obtain valid consent following a universal opt-out, the link or mechanism must:
Have a look, feel, and size that is similar to other links on the same web page or app
Not be presented in a pop-up window or banner or other interactive displays that “degrade or obstruct” the user experience on the web page or app
Meet all other valid consent requirements in the CPA
CPA Rule 7.03 states that consumer consent is valid only if the following elements are met:
It is obtained through a clear, affirmative action (acceptance of general terms and conditions or the use of pre-checked boxes do not constitute a “clear, affirmative action.”)
It is freely given (the controller cannot deny service to a consumer for refusing to provide consent, unless their personal data is necessary to provide the service)
It is specific (consent must be given for each specific data processing purpose; consenting to one purpose does not imply consent for other purposes)
It is informed (a consent request must disclose the controller’s identity, reason why consent is required, the processing purpose, the categories of data processed, and the list of parties that will have access to the data)
In addition, requests for consent must comply with CPA Rule 7.04. This rule states that controllers must provide a “simple mechanism” that is “easy for a reasonable consumer to locate” and is “separate and distinct from other terms and conditions.”
What’s next for the CPA
It is anticipated that CPA rules will be finalized sometime in the first half of 2023. In the meantime, there are a few key events, including stakeholder meetings in November and a public hearing on February 1, 2023.
Between Oct. 10, 2022 and Feb. 1, 2023 comments can be submitted in writing through the Colorado AG’s comment portal. The public hearing will be conducted both in person and by video conference. Anyone wishing to attend the conference can register here.
Following the hearing, the AG will have 180 days to file the final rules with the Colorado Secretary of State. Those rules will then take effect 20 after publication. The CPA will be enforced starting July 1 of next year. UOOP requirement enforcement begins one year later, and on January 1, 2025, the CPA’s notice of violation and right to cure expires.
Managing consent in a changing privacy environment
The coming year will be an extremely busy one for state privacy laws, as the CPA, the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), the California Privacy Rights Act (CPRA), and the Utah Consumer Privacy Act (UCPA) are set to roll out in 2023.
Companies that don’t make data privacy a priority in these states could be subject to heavy fines. And those that fail to provide privacy-first, user-oriented experiences could be at a competitive disadvantage relative to organizations that prioritize data control and transparency.
Complying with notice and consent requirements in U.S. privacy laws is a necessary starting point. But companies should be thinking past the basic opt-in / opt-out dichotomy and focusing on a tailored user experience in the emerging cookieless future.
Didomi’s Consent Management Platform and Preference Management Platform make us a partner of choice for U.S. companies addressing a rapidly-changing regulatory landscape. Let us take care of your data privacy needs so you can focus on your business. Schedule a demo to learn more.