The Colorado Attorney General’s office on Dec. 21 published its second draft of rules for an upcoming law around data privacy and consumer protection in the state. The law, effective July 1, 2023, will make Colorado one of a handful of states with comprehensive data privacy laws.
The state AG’s office is tasked with creating rules for the Colorado Privacy Act and is seeking public input on the latest draft.
Created in 2021 by Senate Bill 21-190, the CPA created personal data privacy rights for Colorado consumers and is meant to protect consumers from unauthorized personal data disclosure. Among other things, the law requires businesses that collect consumer data, or controllers, to provide privacy disclosures about what personal data they collect, what it’s used for, if it’s shared with third parties and how to access, delete or correct their personal data. Only the state AG’s office or district attorneys may enforce the act.
The first draft of the CPA’s proposed rules was released Oct. 10 after the Colorado AG’s office held multiple stakeholder sessions. The latest version of the CPA incorporates feedback from some of the 29 comments submitted since the initial draft and additional stakeholder feedback sessions. The AG’s office will host a hearing on Feb. 1 on the latest rules.
Some top concerns raised in the comments centered around the CPA’s definitions for universal opt-out mechanisms, the use of publicly available information and requests to exempt nonprofits and newsrooms from the law.
Who is Excepted?
In submitted comments and public feedback sessions, multiple nonprofits and journalism agencies expressed concern the original draft of the CPA could create a heavy burden on organizations serving the public.
According to written comments from local and national nonprofits Aspen Public Radio, the Museum of Contemporary Art Denver, the American Cancer Society, the National Insurance Crime Bureau and Code.org, including nonprofits in the CPA could take resources away from the organizations and hamper missions. States like California have exempted nonprofits from data privacy rules and written feedback encouraged Colorado to adopt a similar approach.
In response, the AG’s office included definitions to clarify what organizations and activities are considered commercial products and services and what are considered non-commercial. The definitions line up with Colorado’s statutory definitions and also extends to state higher education institutes, local government and the Colorado judicial branch. The AG’s office requested public input on the new definitions including if anything is missing from the new categories and how enforcement of the CPA should apply to commercial activity.
Another concern raised in the latest rulemaking phase was how the CPA would apply to journalists. Comments from the Colorado Broadcasters Association and Aspen Public Radio asked for journalism exemptions to the CPA, citing journalists often keep data like names, contact information, interview notes and recordings and more in the newsgathering process. The organizations shared concerns that including newsrooms in the CPA could result in opt-out and deletion requests by subjects and sources which could work against public interest and impede the press.
The latest version of the rules clarified that when enforcing the CPA, prosecutors may not exercise “enforcement powers that would infringe upon rights protected by the United States Constitution or Colorado Constitution, including the right to freedom of speech or freedom of the press.”
New and Updated Definitions
Several comments raised concerns over how the CPA would apply to data collected from public records.
Comments by the Coalition for Sensible Public Records Access, RELX Group, which owns a number of public information data tools including LexisNexis, asked the AG’s office to clarify how the CPA applies to data gathered from publicly available information from government offices. Comments were concerned over language in the first draft that excluded “inferences made from multiple sources of publicly available information” from the definition of publicly available images.
The latest version deleted the inferences provision and instead updated the rule to cover “publicly available information that has been inextricably combined with non-publicly available personal data.”
Other comments asked for more tailored definitions for what employment data is covered by the CPA. The AG in response issued new definitions for employer, employee and employment records based on the Colorado Wage Act.
The final major definition update was to what the CPA considers to be consumer rewards programs which offer benefits to consumers who voluntarily opt into data collection. While the first draft of the CPA didn’t define what’s considered a “bona fide loyalty program,” the latest version specifies a loyalty program is one “established for the genuine purpose of providing discounts, rewards or other actual value to consumers that voluntarily participate.”
Colorado is one of five states to pass a consumer data privacy law after California enacted the California Consumer Privacy Act in 2018 followed by Virginia, Utah and Connecticut whose laws will take effect in 2023. The recent wave of legislation comes as concerns over digital data collection grow.