With 2023 Compliance Deadlines Looming for Several New State Privacy Laws, California and Colorado Release Draft Privacy Rules
Of the five new state-level omnibus privacy laws that are going into effect in 2023, two authorize state-level rulemakings: the California Privacy Rights Act (CPRA) and the Colorado Privacy Act (CPA). These two states’ rulemaking processes are both officially underway, with both states releasing draft regulations and announcing opportunities for impacted stakeholders to engage in the rulemaking process. Most recently:
- On October 17, 2022, the California Privacy Protection Agency (CPPA) released modified proposed regulations, along with a summary of the latest modifications. These modified proposed regulations change the initial draft regulations released earlier in 2022 as part of the agency’s CPRA rulemaking process. These modified rules come in advance of the CPPA’s open meeting, which will be held October 28-29. Notably, the timing of California’s process and the modified proposed regulations appear to be part of an effort by the CPPA to finalize the regulations by the end of this year.
- On September 30, 2022, the Colorado Attorney General’s (Colorado AG) office released draft privacy rules pursuant to the CPA. The Colorado AG will be hosting three virtual stakeholder meetings to gather feedback on the draft rules on November 10, 15, and 17, 2022, and a formal rulemaking hearing will be held on February 1, 2023. Written comments will be accepted from now until February 1, 2023: for comments to inform the stakeholder meetings, they should be filed by November 7, 2002; for proposed revisions to be presented at the formal rulemaking hearing, comments should be filed by January 18, 2023.
Below, we provide some key takeaways from the proposed rules in each state, along with next steps that organizations subject to the new California and Colorado laws should be aware of. In each case, the proposed regulations would have a significant impact on a covered organization’s compliance planning, so any organization covered by one of these new laws should be aware of these proposals and developments.
California’s Modified Proposed Regulations
As background, the CPPA – California’s new privacy agency established by the CPRA – already sought comments on its initial draft regulations issued earlier this year. In total, the CPPA reports receiving over 130 comments – either written or oral – in response to its initial draft.
Following this initial round of comments, the CPPA has now released modified proposed regulations. While several changes in the modified proposed regulations are non-substantive, many of the changes could meaningfully impact businesses and service providers that are in the process of developing CPRA compliance programs. For example, some (but importantly not all) of the meaningful changes include:
- Restrictions on the Collection and Use of Personal Information (PI). As explained in the CPPA’s summary of its proposed changes, the modified proposed regulations state that “a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal was collected.” The modified proposed regulations also set forth specific factors, as well as examples, to determine whether a particular processing use case is: (1) consistent with the reasonable expectations of the consumer, (2) compatible with the context in which the PI was collected, and (3) reasonably necessary and proportionate to achieve the relevant purposes.
- Choice Architecture and Dark Patterns. The modified proposed regulations clarify that choice architecture (i.e., the design of ways in which a consumer can make a choice) that impedes consumer choice has the effect of negating a consumer’s consent. Regarding dark patterns, while the initial proposed regulations deemed consent obtained through dark patterns invalid, the modified proposed regulations clarify that a business’s “intent” is but one factor to be considered and is not determinative regarding whether the business’s user interface is a dark pattern.
- Notice at Collection. The modified proposed regulations eliminate the requirement that a business include the names of all third parties that control the collection of PI in its notice at collection. The CPPA explains that it made this change “to simplify implementation at this time.” However, the modified proposed regulations still hold that for purposes of a notice at collection, “more than one business may control the collection of a consumer’s information, and thus, have an obligation to provide [such notice].” Of note, the modified proposed regulations allow for first and third parties to provide a single notice at collection that covers their collective information practices.
- Sensitive PI. The modified proposed regulations exempt sensitive PI that is collected or processed without the purpose of inferring characteristics about a consumer from requests to limit use.
Of note, the modified proposed regulations do not address some of the more controversial aspects of the CPPA’s initial draft regulations. For example:
- Opt-Out Preference Signal. The modified proposed regulations retain the provisions that would make processing an opt-out preference signal that meets certain requirements mandatory for businesses that sell or share PI.
- Agency Audit Authority. Under the modified proposed regulations, the CPPA would still maintain broad authority to audit – either announced or unannounced – a business, service provider, contractor, or other person to ensure compliance with the law.
Colorado’s Proposed Rules
Prior to Colorado’s recent release of its first draft of proposed regulations, it sought pre-rulemaking comments from the public earlier this year and received over 40 written submissions. Informed by this input, the Colorado AG’s office has now released draft proposed regulations that consist of ten parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (UOOM); (6) duties of controllers; (7) consent; (8) data protection assessments (DPAs); (9) profiling; and (10) materials incorporated by reference. While the draft regulations are detailed, some key takeaways include:
- Definitions. The draft regulations define a number of terms that are not defined in the statute. Many of these definitions will have operational impacts for organizations developing their Colorado compliance plans. For example, the draft regulations define three distinct types of automated processing: “human involved automated processing,” “human reviewed automated processing,” and “solely automated processing.” The draft regulations go on to impose different profiling requirements based on these different types of automated processing.
- Consumer Personal Data Rights. The draft regulations outline specific requirements for each consumer right under the CPA (i.e., right to opt out, right of access, right to correction, right to deletion, and right to data portability). The draft regulations also clarify that the “Data Rights request method” does not have to be specific to Colorado, so long as the request method clearly indicates which rights are available to Colorado consumers, among other limitations. Additionally, the draft regulations establish rules for authenticating the identity of consumers making rights requests, as well as controller duties related to responding to consumer requests.
- UOOM. Consistent with the statute, the draft regulations emphasize that controllers will be required to recognize UOOMs effective July 1, 2024. The draft regulations would establish rules for platforms, developers, or providers that provide a UOOM, as well as for controllers. The draft regulations also set forth technical specifications for UOOMs and contemplate that the Colorado Department of Law will maintain a public list of UOOMs that have been deemed to meet such standards.
- Duties of Controllers. The draft regulations also detail several controller obligations, including providing privacy notices, certain obligations related to offering loyalty programs, obtaining consent before processing sensitive data, specifying the purpose for which a controller collects and processes personal data, limiting and minimizing data processing, and securing personal data, among other activities. Of note, Controllers would have various recordkeeping obligations, including being obligated to maintain records of all consumer data rights requests for at least two years.
- Consent. The draft regulations explain that consent is required under a number of circumstances, including: “Processing a Consumer’s Sensitive Data; Processing Personal Data concerning a known Child, in which case the Child’s parent or lawful guardian must provide Consent; Selling a Consumer’s Personal Data, Processing a Consumer’s Personal Data for Targeted Advertising, or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer after the Consumer has exercised the right to opt out of the Processing for those purposes; and Processing Personal Data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the Personal Data are Processed.” The draft regulations set forth detailed rules regarding valid consent, including provisions related to the prohibition on obtaining consent via “dark patterns.” Of note, the draft regulations discuss the expectations for controllers to “refresh” consent, noting that consent should be refreshed “at regular intervals based on the context and scope of the original Consent,” and specifically requiring that “[f]or Processing of Sensitive Data, Consent must be refreshed at least annually.”
- DPAs. Under the statute, controllers are required to conduct DPAs before initiating a data processing activity that “Presents a Heightened Risk of Harm to a Consumer, as defined at C.R.S. § 6-1-1309(2).” The draft regulations specify requirements for DPAs and their timing, as well as AG requests for such DPAs.
Next Steps in the State Privacy Process
As noted above, the CPPA will be holding a public meeting that is scheduled for October 28-29, and the agenda is available here. Parties interested in providing feedback and input are encouraged to attend. The CPPA had originally also scheduled an open meeting for October 21-22, but has since cancelled those meetings.
Next month, the Colorado AG will hold virtual stakeholder meetings on November 10, 15, 17. More details are available here. Written comments to inform the stakeholder meetings should be submitted by November 7, 2022. The AG will also hold a formal rulemaking hearing on February 1, 2023. While the comment period will be open from now through the last day of the formal hearing, for any proposed revisions to be considered at the February 1, 2023 hearing, comments should be filed by January 18, 2023.
State privacy rulemakings will further muddle the increasingly complicated regulatory patchwork of state privacy law. Accordingly, complying with state statutory requirements is only the first step, and organizations must continue to monitor state-level privacy regulatory developments which can impose additional obligations. Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and compliance with new privacy laws and advocate before government agencies. Please reach out to any of the authors with questions.
This post was updated on 10/20/2022 to reflect a change to the CPPA’s open meeting schedule.