When do the new laws take effect?
To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.
Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:
- The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
- The right to know whether a controller is collecting personal data;
- The right to access personal data that a controller has collected about them;
- The right to correct personal data;
- The right to delete personal data; and
- The right to download and remove personal data from a platform in a format that allows the transfer to another platform.
The Colorado Attorney General's Office is seeking public comment on draft rules tied to 2021 legislation that will allow consumers more control over their personal data, including a so-called "universal opt-out."
The draft rules being considered include:
- Definitions and clarifications of key terms such as “biometric data,” “bona fide loyalty programs,” and “publicly available information”
- Description of how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling
- Technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis
- The duties of entities that use and control consumers’ personal data, including obligations to safeguard personal data and protect consumer privacy
- A clarification that disclosures and limitations associated with the user of Coloradan’s personal data for bona fide loyalty programs, or programs that offer discounts, rewards, or other actual value in exchange for personal data
- A clarification that the requirements for obtaining consent from Coloradans prior to specific uses of personal data, and addresses the prohibition against obtaining consumer agreement through unclear or ambiguous means, often called “dark patterns”
- Description of how the required scope, content, and timing of data protection assessments, which controllers must complete before using personal data for activities that present a heightened risk of harm to consumers
- When and how controllers must respond to consumers' request to opt-out of specific kinds of automated profiling as well as what controllers must include in data protection assessments when conducting automated profiling
More comprehensive information is here:
https://coag.gov/resources/
The attorney general's office is also holding virtual stakeholder meetings on Nov. 10, Nov. 15, and Nov. 17, with a rulemaking hearing to follow on Feb. 1.
This first rulemaking:
Stakeholder sessions
The department will host three virtual stakeholder meetings to discuss the CPA proposed draft rules. These stakeholder meetings are a forum for the department to gather feedback from a broad range of stakeholders for the development of rules to implement the CPA. Stakeholder meetings will occur in advance of the rulemaking hearing and speaking participants will be asked to provide their input and insight, along with constructive feedback and suggestions, on the draft rules in an open discussion format. Please submit any written comments you would like to inform these stakeholder meetings by Monday, Nov. 7, 2022.
The stakeholder session dates and topics are as follows:
Nov. 10, 2022
When: 10 a.m. – 1 pm. MST
Topics: Consumer Rights and Universal Opt-Out Mechanisms
Register here
The link to the rules can be found here; the link to provide public comment can be found here. The deadline for providing public comment is Feb. 1.
The rules under consideration now stem from Senate Bill 21-190, which will create a global or universal opt-out for Coloradans. A consumer would need to opt out just once, and personal data cannot be stored, shared or sold by any website or company covered by the law. That makes Colorado's law stronger than the data privacy laws in California — where it's optional — and Virginia, which enacted a new data privacy law in 2021.
The bill also requires websites to make a number of notifications to consumers.
Those including notification about what information the business has, that a copy of that data is available to the consumer, and that the consumer has a right to correct and delete personal information. The law also provides an "opt in" for sensitive data, such as biometric data. That's the data that includes body measurements, facial recognition or even keyboard strokes. The opt-in also applies to data on children and demographic information. The law also imposes responsibilities on businesses and other entities covered by the bill, such as transparency. If the business does not comply, there is an appeal process to the attorney general or to a local district attorney who would handle enforcement.
IF any members would like CWPMA to submit comments on this docket please let me know.
Many CWPMA and RMFIA members have loyalty programs or app based services , if you are of those companies this alert is for you. Please read through the proposed language and contact the association if you have any comments: Language like this has passed in several states such as California, Vermont and Utah , below is an example of the disclosure requirement for a c-store /grocer chain
https://www.eg-america.com/