Truyo president Dan Clarke gives his thoughts on the intricacies of the Colorado Privacy Act as it stands today and how the Attorney General will affect rulemaking as we approach the effective date of July 1, 2023.
The Colorado Privacy Act passed in July 2022 grating specific rights and obligations while generally following the framework of the Virginia Privacy Act – but the implementation and rulemaking could shape different priorities. The Attorney General is granted rulemaking authority in three categories: (1) clarify the universal opt-out mechanisms via technical specifications for practical implementation; (2) issuance of opinion letters and other governance to companies; and (3) discretion to create rules for the purpose of carrying out the CPA, which is a quite broad authority. Colorado Attorney General Phil Weiser has given us insights into how the public comments process may guide the practical and operational elements of how privacy will work for companies in scope.
Respect the Global Opt-out Signals
The GPC is still in a nascent state but clearly is a priority for Colorado and the AG, who has undoubtedly signaled that all companies that collect consumer information need to offer an easy mechanism for opt-out to consumers. This is unmistakably going to be a priority, especially for the sale of PI or even targeted advertising, but specific rules are needed.
Avoid Even the Appearance of Dark Patterns
Stating that using a “dark pattern” negates consent provides a powerful method to regulate this area of privacy but guidance is needed, especially to avoid inadvertent violations. Consent must be freely given, specific, and informed, and this is in direct contradiction, especially when trying to manipulate a consumer’s rightful choice.
How to Regulate Profiling and ADM
The AG asked for feedback about how to be most transparent with consumers so they can make informed decisions on automated decision making and profiling, indicating this may warrant significant legal attention.
Opinion Letters and Interpretive Guidance Process
The CPA directs the AG to issue opinion letters and other guidance but asked where they should focus this effort. I think input to the opinion process could help clarify many key operational issues that are currently grey areas, such as in off-line data collection and exactly how consumers can exercise their rights. This can help avoid unnecessary disputes.
How Much Should This Follow Other Jurisdictions
By asking this question, I’m hopeful the AG is signaling that they will try to align with other privacy laws so that the mechanism can be shared as much as feasible.
Privacy Impact Assessments Are Important
New for most US companies, but already required by GDPR, Data Privacy Assessments are crucial not only to comply with CPA (and other upcoming state law such as Virginia and CPRA), but they are extremely important to truly understand your own environment. Colorado may choose to follow other standards in this area for consistency and ease of implementation by companies.
How enforcement unfolds under such a highly engaged AG will certainly shape the privacy landscape and should be monitored.