On October 10, 2022, the Colorado Secretary of State published draft rules implementing the Colorado Privacy Act of 2021. The proposed rules give consumers rights over their personal data, including the ability to access, correct, or delete personal information previously gathered by an entity and the ability to “opt out” of having their personal data sold or used for targeted advertising or profiling. Entities that collect personal data must give consumers a clear way to exercise these new data rights, and they are required to stop using a consumer’s personal data within fifteen days of the consumer’s “opt out” request. The proposal further imposes specific requirements for privacy disclosures, data security, and personal data usage. In general, the rights and obligations of Colorado’s proposed rules reflect the European Union’s General Data Protection Regulation’s emphasis on data transparency and user control.
As with all laws that impose specific data privacy obligations, some commentators have expressed the concern that compliance with Colorado’s proposed rules will be technically difficult. For example, a consumer-initiated correction of their personal data must propagate “across all data flows and repositories,” which can be a complex task in a highly distributed system. The proposal also requires covered entities to categorize and disclose each specific use of consumer data and to notify the consumer of changes in data usage fifteen days before the change goes into effect. This could require significant engineering work. Companies may need to issue back-to-back disclosures—notifying the consumer of a new use of their personal data and the subsequent discontinuation of that use—when the company A/B tests certain features or uses personal data differently for different subsets of their consumers. The amount of work that may be necessary to comply with these rules reflects the fundamental shift in data control implied by Colorado’s law: rather than allow an entity almost unlimited discretion in how it uses consumer information, the law gives consumers control over their personal data and how companies use it.
In addition to the technological challenges inherent in compliance with an individual data privacy law, there are concerns over how Colorado’s Privacy Act will affect the overall compliance landscape. Colorado is the third state, after California and Virginia, to enact a comprehensive consumer privacy statute. While data privacy laws tend to articulate similar rights and obligations, the distinctions between laws can be substantial. At a high level, Colorado’s Privacy Act applies to some nonprofit organizations, while California and Virginia’s laws categorically exempt nonprofits; similarly, only California’s law applies to employee or business-to-business data. At the level of specific regulatory requirements, the three states mandate different processes and exceptions for consumer data requests. These divergences will be exacerbated as more states enact detailed data privacy regulations, and the likelihood of a direct conflict between legal standards will grow. At the same time, consumers are increasingly likely to gain meaningful control over their personal data as various regulated entities attempt to comply with the growing legal demands for consumer data privacy.
Colorado’s proposed rules are open for written and oral comment in the coming months, with a rulemaking hearing to be held on February 1, 2023. They are scheduled to take effect on July 1, 2023.