Almost exactly one year ago, on July 7, 2021, Colorado Governor Jared Polis (D) signed the Colorado Privacy Act (“CPA”) into law. As we have previously highlighted, the Colorado Attorney General and the Department of Law (“Colorado AG”) have been a leading voice, both in Colorado and nationally, on privacy policy and enforcement. Consistent with that high level of engagement, the CPA specifically calls for the Colorado AG to implement the law by adopting new rules governing privacy, as well as by “adopting rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.”[1]
Now, as the Colorado AG undertakes its mandated rulemaking and implementation, the U.S. Supreme Court’s recent decision in Dobbs raises new questions about how the CPA and other state privacy laws will be effectuated and enforced. While these specific issues were not raised in the course of the CPA listening sessions, Colorado could be a state where this issue emerges in the coming weeks and months. In the wake of Dobbs, which overturned Roe v. Wade, we expect that state AGs generally will be looking at how the decision impacts their states’ privacy regimes. The answers to this complex consideration will likely depend on the political makeup of each state and, relatedly, the political affiliation of the AG, but could reach to issues including how insurers and medical facilities collect, handle, and maintain (or produce in the course of investigations) private medical information. This is consistent with the recent increased focus state AGs have put on protecting sensitive medical-related information.
Last week, North Carolina AG Josh Stein launched an investigation into a digital tracking company that allegedly collects information from hospitals when patients try to make online appointments and then provides such information to large social media platforms for advertising purposes. Like AG Stein, state AGs around the country are actively exploring ways to better protect this especially sensitive category of personal data, both through engaging in their states’ legislative efforts and employing their far-reading state consumer protection laws to bring enforcement actions against those who allegedly misuse private medical information. With the Dobbs decision and its implications now at the top of many state AGs’ minds, issues around information sharing, data retention, and geolocation technology could all emerge as policy and litigation flashpoints.
As part of its implementation of the CPA, and in a nod to a transparent and fully-informed rulemaking process, the Colorado AG held CPA-related “Pre-Rulemaking Listening Sessions” on Wednesday, June 22nd and again on Tuesday, June 28th. The listening sessions were designed to be public fora for anyone to provide feedback, suggestions, and comments to the Colorado AG prior to the CPA’s implementation later this year. The informal comment period is set to conclude in August. The Colorado AG plans to release proposed draft rules for formal notice and comment sometime in the fall. Final rules will then be promulgated in late 2022 or early 2023, and CPA enforcement will commence on July 1, 2023. While these sessions were led by various Colorado AG staff, it was made clear at the outset that the Colorado AG would not provide substantive comments or answers to any questions during these sessions.
While the Colorado AG emphasized that they were open to comments about any parts of or issues related to the CPA, they also noted that they were specifically focusing on a few specific areas, including: (1) universal opt out; (2) consent; (3) dark patterns (typically understood as deceptive or misleading digital practices effectuated by algorithms and consumer interface designs); (4) data protection assessments; (5) profiling; (6) opinion letters; (7) offline data (referring to data collected in person (e.g., via a magazine subscription) that may later be stored online and, specifically, issues associated with consumers exercising their preferences with the future treatment of such data); and (8) interoperability.
The Colorado AG kicked off both sessions with a brief overview of the CPA. First, they discussed the CPA’s provisions on consumer rights, noting that these include abilities, such as:
- Telling businesses not to sell or use your personal data for certain purposes;
- Agreeing to (or deny) the collection and use of your sensitive personal information;
- Accessing the personal data that businesses have collected about you;
- Having businesses correct errors in certain pieces of your personal data;
- Using one single signal to opt out of the sale of your personal information or targeted advertising;
- Having businesses delete certain pieces of your personal data;
- Having businesses provide a portable copy of your personal data to you; and
- Understanding what personal data businesses collect about you.
The Colorado AG then highlighted businesses’ obligations under the CPA, including:
- Provide a privacy notice telling you how your information is collected and used and how you can exercise your CPA rights;
- State a purpose for the collection and use of your personal data, and only collect the amount and type of personal data necessary for that purpose;
- Take reasonable measures to protect your personal data; and
- Obtain your consent before collecting and using your sensitive personal information.
The June 22nd session, which was both in-person and virtual, was sparsely attended, with only two commenters participating. The June 28th was far better attended, with commenters from a wide variety of organizations and institutions.
Many of the comments focused on the opt out mechanism set forth in the CPA and how it will be applied in varying contexts, subject to the Colorado AG’s rules on such. Both the privacy advocates and business community representatives called for the Colorado AG to take every step possible to ensure that the CPA is implemented in a way that coherently interacts with other states’ privacy laws, such that both consumers and businesses have clarity and a degree of uniform applicability nationwide.
[1] https://coag.gov/resources/colorado-privacy-act/#:~:text=On%20July%207%2C%202021%2C%20Governor,of%20Colorado’s%20Consumer%20Protection%20Act.