On July 8, the Colorado Privacy Act was signed into law with an effective date of July 1, 2023. Like other omnibus state laws passed in the United States (California and Virginia notably), there are a lot of details to review. Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include consumer rights, privacy notices, and opt outs of certain processing activities, such as the sale of personal data.
This is part III in a four-part series on the Colorado Privacy Act. In this part, we address the requirements of a privacy notice along with information on special categories of processing – targeted advertising, sales of personal data, and profiling – including what must be offered to consumers to opt out of these activities. In the other parts of this series, we covered other aspects of the CPA, such as:
- Part I – Overview
- Part II – Consumer Rights and how to implement your response program
- Part IV – Responsibilities of the Parties & Contracts
Transparency (Privacy Notice)
Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes
- The categories of personal data collected or processed by the controller or a processor,
- The purposes for which the categories of personal data are processed,
- How and where consumers may exercise the rights including the controller’s contact information and how a consumer may appeal a controllers action in regard to the request,
- The categories of personal data that the controller shares with their parties, if any,
- The categories of third parties, if any, to whom the controller shares personal data, and
- If applicable, whether personal data is sold or used for targeted advertising along with how consumers can opt out of those activities.
Even though it is not an explicit requirement under the CPA to document data processing activities, the privacy notice disclosures require that controllers identify their processing activities, from collection of personal data through disclosure to third parties.
Special Processing Activities and Consent
Controllers must offer convenient methods for consumers to opt out of having their data processed for targeted advertising, sales of personal data (taking into account the broad definition of sell), and profiling that carries significant consequences for consumers. The latter is reminiscent of the GDPR, but Colorado specifies what the significant consequences are that trigger the ability to opt out of profiling along with defining “profiling.”
Profiling. Profiling “means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Legal or significant effects that may come from profiling are specified as decisions that result in “the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.”
Targeted advertising. Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affiliated websites, applications, or online services to predict consumer preferences or interest. It does include processing personal data solely for advertising performance, reach, or frequency metrics.
Targeted advertising also does not include advertisements:
- in response to a request for information or feedback,
- based on activities within a controller’s own websites or application, or
- based on a current search query, website visit, or online application.
Opt out methods. Controllers must provide a clear and conspicuous method for consumers (or their authorized agents) to opt out both in any required privacy notice and in a clear and conspicuous and readily accessible location outside the privacy notice. Interestingly, the “authorized agents” may indicate the consumers’ intent through weblinks indicating a preference, browser settings or extensions, or global device settings. Indeed, the technology designed and operated by entities may be deemed authorized agents, according to the language, thereby eliminating complex authorization confirmation protocols, such as notarized appointment letters.
Technical specifications. Colorado requires the Attorney General’s office to establish technical specifications for universal opt-out mechanisms.
Important dates. These mechanisms are optional until July 1, 2024, after which controllers must offer consumers the ability to opt out of targeted advertising, sales of personal data, and profiling using universal opt-out mechanisms.
Consent. However, consumer consents to such options if provided appropriately, take precedence over the choices in the universal opt out mechanisms. Consent may be obtained through webpages, applications, or similar technology and provides clear and conspicuous notice about the choices available, categories of personal data collected and the purposes and providing how and where consumers may also revoke such consent. The withdrawal of consent must be available as easily as the consent was given – another concept directly from the GDPR.
To learn how TrustArc can help you prepare for the Colorado Privacy Act, visit trustarc.com.