Colorado’s Privacy Act regulations have now been finalized, in advance of the law’s July 1 effective date. As we have written previously, the Colorado privacy law applies to companies that conduct business in the state and either (1) control or process personal data of 100,000 Colorado consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado consumers. The law mirrors in many ways the comprehensive privacy laws of other states.
Additionally, among its many requirements, the law holds that by July 1, 2024, consumers must be able to opt-out of targeted advertising or the sale of information through a universal opt-out mechanism. The Attorney General was to promulgate and adopt rules relating to the law’s opt-out mechanisms by July 1, 2023. Those rules were to establish technical opt-out specifications. Draft regulations addressing this were released in December, and have now been finalized.
As indicated in the draft in December, and continued in the finalized version, the Colorado AG will release a list of Universal Opt-Out Mechanisms that meet the requirements of the regulations by January 1, 2024. Additional mechanisms may be added after that time, and companies will have six months from when they are added to the list to respect signals from the new mechanism. As we indicated in December, the regulations contain more requirements than simply issues relating to opt-out mechanisms. Among the many details are more information about:
- Notices: The regulations clarify that privacy notices (as required under 6-1-1308) should be in “plain language” and avoid “technical or legal jargon.” They should also be accessible to those with disabilities, following standards like W3C guidelines and be straightforward and accurate.
- Rights Requests: For rights requests (under 6-1-1306), the regulations clarify that the mechanism does not need to be specific to Colorado, but should indicate which rights are being made available by the company to Colorado residents. The regulations further clarify that the only information that should be collected as part of the process is what the company needs to process the consumer’s request. The regulations also significantly build on the law’s access right details, mirroring in many ways the process that exists in California. This includes a requirement that companies give people “specific pieces” of personal information, including information created by the company (marketing profiles, inferences, etc.). The company does not need, however, to give financial account, medical information, or other similar sensitive information. The regulations also provide that records of rights requests be maintained for at least 24 months.
- Data Minimization: The law contains restrictions on the amount of information companies can collect (namely 6-1-1308’s requirement that it be limited to that which is reasonably necessary for the purpose for which the company is processing data). The regulations build on this by requiring that companies review annually if they need to maintain biometric identifiers. This assessment should be documented in writing. The regulations also specify that companies should not collect information except that which it lists in its privacy policy.
- Consent: Under the Colorado Privacy Law, consent is needed in some specific situations, including to (a) process sensitive information and (b) process information about a child. Consent can be obtained before July 1, 2023 as long as it meets with the regulations’ requirements. Consent must be provided through a clear, affirmative action, be freely given and specific. The regulations provide more detail about what this means. For example, they specify that a pre-checked box or “blanket acceptance of general terms and conditions” are not sufficient. Similarly, if consent is being sought for multiple things and those items are “not reasonably necessary to or compatible with one another” then people must be able to provide separate consents.
Putting it into Practice: Now that the Colorado regulations have been finalized, companies subject to the law can more easily move forward with their compliance activities. This includes review of privacy policies, targeted advertising activities, rights request processing, data minimization, consent reviews, and more.