In his prepared remarks given at the International Association of Privacy Professionals Global Privacy Summit in Washington D.C., Colorado Attorney General Phil Weiser announced on April 12, 2022 that his office is seeking informal public comments on the Colorado Privacy Act (“CPA”) rulemaking.
The CPA was signed into law in July 2021, making Colorado the third US state to adopt a comprehensive privacy law. The law gives the Colorado AG rulemaking authority in three categories: (1) specific, required authority to draft technical specifications for one or more universal opt-out mechanisms; (2) specific, discretionary authority to create rules governing a process of issuing opinion letters and interpretive guidance; and (3) broader discretionary authority to create rules for the purpose of carrying out the CPA
The informal public comments, as well as informal listening sessions (which are yet to be scheduled), come in advance of a formal notice and comment rulemaking period that is scheduled to begin in earnest in the fall of 2022. That process will provide a notice of the rulemaking. accompanied by draft regulations. There will be at least one formal hearing as well as the continued opportunity to submit comments on the draft regulations.
This informal public comment process is an early opportunity for stakeholders to provide feedback that could help shape the draft regulations. Within the pre-rulemaking guidelines released along with AG Weiser’s prepared remarks, the AG is specifically seeking input on eight topics, including:
The CPA’s “universal opt-out mechanisms,” which are technical measures with which consumers may exercise their “right to opt out of the processing of personal data . . . for purposes of targeted advertising or the sale of personal data.”
- How “consent” to process consumer data should be defined, and what considerations should go into determining whether consent is given by a consumer, among other issues regarding consent.
- What standards should exist in identifying “dark patterns” which are defined under the CPA as “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
- Guidance regarding the form and content of data protection assessments (DPAs) required by the CPA.
- Input on the CPA’s consumer right to opt-out of “profiling…in furtherance of decisions that produce a legal or similarly significant effects concerning a consumer.”
- Rules governing a process for the AG to issue opinion letters or interpretive guidance.
- How the rules should handle “offline” data collection.
- What should or could the CPA do to protect Coloradans that other privacy laws are not already doing.
Entities to which the CPA applies should strongly consider submitting comments.