Today, November 10, 2022, the Colorado Attorney General’s office held their first of three stakeholder meetings to allow the public to provide oral comment to the draft Colorado Privacy Act (CPA) rules released on October 10, 2022. The Colorado Office of the Attorney General (OAG) has demonstrated their commitment to robust stakeholder engagement by being proactive about collecting ideas and feedback from the public to inform the CPA regulations. The stakeholder meeting was seamlessly facilitated by Assistant Attorneys General Jill Szewczyk and Stevie DeGroff to address the following provisions:
Consumers’ personal data rights: Part 4 of the draft rules describes how Coloradans may exercise new rights over their personal data, including the right to access and correct personal data and to opt out of the sale of personal data, or use of personal data for targeted advertising or profiling.
Universal opt-out mechanisms: Part 5 of the draft rules outlines the technical specifications for a tool or mechanism that will allow consumers to opt out of the processing of personal data by all businesses, instead of on a case-by-case basis.
A consistent theme throughout the meeting heard in the comments presented was harmonization and interoperability of the CPA regulations on the universal opt-out mechanism and consumer rights with other state privacy laws that are in or will be in effect. A representative from the California Privacy Protection Agency was even in attendance to offer insight into how and why they wrote their regulations on the universal opt-out mechanism. All parties seemed in agreement that harmonization will make it easier for consumers to exercise their right to opt-out, and for businesses to honor said right. As for how the OAG will incorporate this feedback into the final rules, only time will tell.
Hits and Misses of the Universal Opt-Out Mechanism
Additional salient comments to the universal opt-out mechanism were focused on the implementation time for mechanisms newly-recognized by OAG and published on the central repository list, the requirement to query a “do not sell” list, and opt-out request authentication. There was overwhelming appreciation for the public list of universal opt-out mechanisms proposed in Rule 5.07(A). One suggestion for improvement was for the OAG to engage stakeholders prior to adding a new mechanism to the list, as opposed to unilaterally controlling the contents. Moreover, the overall consensus was that the 30-day timeline for implementing a new universal opt-out mechanism proposed by the OAG was not enough time for industry to properly implement said new mechanism. Many industry commenters expressed a 9 to 12-month timeline would be acceptable, although some mentioned 6 months.
Generally, commenters expressed concerns about the Do Not Sell list proposed in proposed Rule 5.08(B). While there was an appreciation for why the OAG is proposing such a list, the various and multiple opportunities for failure were noted. For example, latency issues caused by all of the queries controllers would need to conduct, as well as the potential for consumer fraud. One commenter proposed the query of the Do Not Sell list be optional, instead of required, as a potential route forward.
Another key topic of discussion centralized around authentication, namely the use of IP address to authenticate residency of the consumer submitting the request. While it was acknowledged that IP address is widely used for such a purpose, many noted that it’s becoming increasingly inaccurate. However, when asked by Assistant Attorney General DeGroff if anyone could suggest alternatives to using IP address for authenticating a request, no alternatives were posited.
Protecting Colorado Consumer Rights to their Personal Data
The proposed consumer rights in the CPA largely align with those we’ve seen in California, Virginia and others. Nonetheless, there were many comments emphasizing harmonization and interoperability. A number of attendees expressed concern about the subjective nature of the wording of the proposed rules. They said it leaves too much room for interpretation, and thus providing too much opportunity for controllers to abuse the grey area and not honor the consumer request to exercise their right(s). This is especially so if the OAG adds “to the extent feasible” language to Right of Access requests.
Pursuant to proposed Rule 4.07, when a controller provides data to a consumer in response to a Right to Data Portability request, the controller must also disclose the algorithm or mechanism used to create inferences from the personal data, if any. Numerous industry representatives expressed concern that between the raw data provided and the resulting inferences, the algorithm or mechanism could certainly be reverse engineered. While one commenter offered a solution that the controller enter into a Rights of Use, or similar, contract with the consumer to prohibit such reverse engineering, it’s unclear if the OAG will include such a consumer contractual requirement, or remove this requirement from the final rules.
Similar to the universal opt-out mechanism, there was lengthy discussion of the topic of authentication. Industry representatives noted that identity authentication to prevent fraud is one of the most difficult provisions in privacy legislation to get right. Examples of fraud in consumer data requests were provided, as well as examples of consumer data requests submitted by fraudulent authorized agents. Similar to a public list of OAG approved universal opt-out mechanisms, someone suggested having a public list of known authorized agents accepted to submit consumer data rights requests. Having ineffective authentication procedures for consumer and authorized agent identities during the processing of consumer data rights request would be counter-productive to empowering consumer ownership of their data. We hope the OAG understands and respects this issue, and designs final rules accordingly.
Onemata provided an overview of the subsequent stakeholder meeting held on November 15, 2022, which discussed the provisions for controller obligations and data protection assessments. The CPA goes into effect July 1, 2023.
Comments