Colorado Privacy Act: Stakeholder Meeting Series Continues
Updated: Nov 28, 2022
The second of three stakeholder meetings to allow the public to provide oral comment to the draft Colorado Privacy Act (CPA) rules released on October 10, 2022 was held by the Colorado Attorney General’s office today, November 15, 2022. Our summary of the first meeting, during which consumer rights and universal opt-out mechanisms were discussed, can be found here.
Assistant Attorneys General Jill Szewczyk and Stevie DeGroff continued to uphold the Colorado Office of the Attorney General’s (OAG) commitment to robust stakeholder engagement soliciting ideas and feedback from the public to inform the CPA regulations. Today’s agenda focused on the following provisions of the CPA draft rules:
Controller obligations: Part 6 of the draft rules describes the various obligations controllers must uphold to comply with the CPA, including transparency and consumer disclosures, duty of purpose specification, duty of data minimization, duty to avoid secondary use, duty of care, duty to avoid unlawful discrimination, duty regarding sensitive data, loyalty programs and documentation.
Data protection assessments: Part 8 of the draft rules outlines when controllers must conduct and document a data protection assessment (DPA), as well as the purpose, content and scope of the analysis.
Similar to the first meeting, industry representatives voiced their desire for the CPA rules for controller obligations and data protection assessments to be harmonized and interoperable with other state privacy laws to minimize the compliance burden and reduce compliance risk for industry as well as to ensure ease of use by consumers.
This stakeholder meeting had the extra benefit of having consumers express their prior (not very positive) experiences of working with controllers to exercise their rights to their data and state their opinions on the draft rules, particularly how effective and beneficial they’ll be. The frustration, anger and exhaustion in their voices was palpable. It’s so easy for industry to get wrapped up in reviewing laws and regulations through a self-serving lens. We can’t lose sight of the fact that, as one commenter put it, privacy is a “societal good”.
How “Loyal” Does a Consumer Need to be for a “Loyalty Program”?
The draft rules for Loyalty Programs in draft rule 6.05 were discussed at length, particularly how current language may leave the door open for bad actors to exploit the ambiguity without violating the non-retaliation and non-discrimination provisions. Commenters recommended that the OAG revisit their proposed definition of “Bona Fide Loyalty Program”. The currently vague definition would allow a controller to design a Loyalty Program that while it provides value to a consumer, would also involve the selling of that consumer’s data to third parties if they wanted to participate in the Loyalty Program. It was agreed that if a consumer wished to exercise their right to for the controller to delete their data, that all or some benefits of the Loyalty Program may not be able to be reaped by the consumer. However, if the consumer wished to opt-out of the selling of their data to third parties for targeted advertising, the current draft rules would allow the controller to strip away Loyalty Program benefit from the consumer as a result of their opt-out. Any reasonable person would view this scenario as discriminating or retaliating against the consumer for exercising their rights to their data.
It was acknowledged that there are programs that offer consumers lower prices in exchange for allowing their data to be sold. Although, these programs should not be included in the definition or regulation of “Bona Fide Loyalty Programs”. The arguments for a more specific definition of “Bona Fide Loyalty Program” and explicit guardrails for compliantly conducting such were compelling, and we’ll see how the OAG responds in the final rules.
The Benefit/Risk Balance
The regulations for DPAs suggest the purpose of the DPA is essentially a risk/benefit analysis – analyzing and documenting whether the risks of collecting and processing the personal data support the benefits the collection and processing would provide for the consumer. It was recommended that the draft rules be modified to include language that would make it clear to controllers that a risk analysis be completed as part of the DPA. This is important because risk analyses will define likelihood and magnitude of the identified risks, which will in turn allow controllers to define and implement appropriate mitigation measures based on risk severity likelihood of occurrence.
A dynamic discussion regarding how specific the regulations should be regarding DPA content shed light on how difficult it will likely be for industry to implement the current requirements for DPAs. It was discussed how the current draft regulations are quite detailed (i.e. too detailed), and thus are not flexible enough to accommodate all of the different situations that exist for controllers. For example, the draft regulations require that the DPA be organized by processing operation. While that may make sense for some situations, DPAs for other situations would be better organized by data category. Under the current draft regulations, that would be violative.
Secondly, the current draft regulations also require data sources and recipients to be explicitly named in the DPA. Industry representatives expressed that this level of detail in a DPA is overly burdensome and recommended that these requirements be removed.
Possible frameworks for DPAs, such as those described in ISO 27005, CIS-RAM, NIST SP 800-30 and 800-53, were also discussed; specifically, whether the regulations should specify or recommend such frameworks, or if that should be reserved for industry guidance documents. Commenters cautioned the OAG on being so specific and putting such high bars in regulation for fear that it will be interpreted as a requirement. Requiring compliance to those standards may put an undue burden on smaller organizations, especially when there are alternatives available that would achieve the same goal. While no conclusion was reached, industry communicated to OAG that this is certainly an area for growth and a “wait and see” approach may be the best way to proceed.
The OAG stated that the intent was for the DPA regulations to be scalable based on company size, data processed, etc. If that is the intent, the OAG will hopefully take this feedback and revise the draft regulations to be more flexible while not sacrificing effectiveness.
Onemata's overview of the next and final stakeholder meeting held on November 17, 2022, which discussed the provisions for profiling, consent and definitions, can be found here. The CPA goes into effect July 1, 2023.