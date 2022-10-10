The next steps are afoot in setting up stronger requirements for protecting consumer data privacy in Colorado.
The Colorado Attorney General's Office is seeking public comment on draft rules tied to 2021 legislation that will allow consumers more control over their personal data, including a so-called "universal opt-out."
The draft rules being considered include:
- Definitions and clarifications of key terms such as “biometric data,” “bona fide loyalty programs,” and “publicly available information”
- Description of how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling
- Technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis
- The duties of entities that use and control consumers’ personal data, including obligations to safeguard personal data and protect consumer privacy
- A clarification that disclosures and limitations associated with the user of Coloradan’s personal data for bona fide loyalty programs, or programs that offer discounts, rewards, or other actual value in exchange for personal data
- A clarification that the requirements for obtaining consent from Coloradans prior to specific uses of personal data, and addresses the prohibition against obtaining consumer agreement through unclear or ambiguous means, often called “dark patterns”
- Description of how the required scope, content, and timing of data protection assessments, which controllers must complete before using personal data for activities that present a heightened risk of harm to consumers
- When and how controllers must respond to consumers' request to opt-out of specific kinds of automated profiling as well as what controllers must include in data protection assessments when conducting automated profiling
Nearly four dozen comments have already been submitted.
The attorney general's office is also holding virtual stakeholder meetings on Nov. 10, Nov. 15, and Nov. 17, with a rulemaking hearing to follow on Feb. 1.
The link to the rules can be found here; the link to provide public comment can be found here. The deadline for providing public comment is Feb. 1.
The rules under consideration now stem from Senate Bill 21-190, which will create a global or universal opt-out for Coloradans. A consumer would need to opt out just once, and personal data cannot be stored, shared or sold by any website or company covered by the law. That makes Colorado's law stronger than the data privacy laws in California — where it's optional — and Virginia, which enacted a new data privacy law in 2021.
The bill also requires websites to make a number of notifications to consumers.
Those including notification about what information the business has, that a copy of that data is available to the consumer, and that the consumer has a right to correct and delete personal information. The law also provides an "opt in" for sensitive data, such as biometric data. That's the data that includes body measurements, facial recognition or even keyboard strokes. The opt-in also applies to data on children and demographic information. The law also imposes responsibilities on businesses and other entities covered by the bill, such as transparency. If the business does not comply, there is an appeal process to the attorney general or to a local district attorney who would handle enforcement.
Congress is also considering legislation to beef up consumer privacy. That measure passed a House committee in July with near-unanimous support and is now awaiting action from the full House.
