Colorado’s AG Office Kicks Off CPA Rulemaking Meetings

On Thursday, November 10th, the Colorado Attorney General’s Office held the first of three stakeholder meetings on its Colorado Privacy Act draft rules. The initial meeting covered Universal Opt Out Mechanisms (UOOMs) and consumer rights. Pre-registered participants were given three minutes to present on each topic. AG staff then posed a variety of questions, encouraging input and engagement between participants.

Universal Opt Out Mechanisms (UOOMs)

Participants provided a variety of suggestions regarding UOOMs. Consumer rights groups recommended requiring data minimization, preventing controllers from collecting more personal information than necessary to complete the transaction, and requiring that opt-out signals not be intrusive. Industry commenters focused on companies needing more time to implement UOOMs. Commenters noted that the rules could provide additional guidance related to authenticating the residency of users. Some asserted that Colorado should avoid requiring technical specifications, as they could stifle innovation and create additional regulatory burdens. Others suggested how controller obligations could be clarified, including around secondary uses.

Afterwards, AG staff posed the following questions about UOOMs:

  • What are potential benefits and concerns associated with recognizing certain default tools as valid UOOM mechanisms?
  • What are additional processes the AG’s office should consider for authenticating consumers’ residency, and what are some pros and cons of those processes? Are there any good alternatives to IP addresses for authentication?
  • What are the challenges with ‘Do Not Sell’ lists?
  • What is an appropriate cadence for updating the Department’s list of valid UOOMs? What is an appropriate timeframe for businesses to implement UOOMs after the list is published?
  • What standards should an UOOM meet to be included on the Department’s list?
  • Should businesses be required to indicate that they have processed opt-out requests transmitted through a UOOM?
Responses to these questions echoed participants’ previous comments, although some participants were not prepared to address specifics. Participants agreed that the time frame for controllers to implement UOOMs should be at least 6 months, but more appropriately 9 to 12 months to account for the time required by design cycles.

Consumer Rights

On consumer rights, participants provided thoughtful suggestions, including that the rulemaking be free of legal jargon, provide consumers meaningful control over data, and prioritize consumer rights over other considerations.

AG staff asked the following questions about consumer rights:

  • What does it mean to offer a “clear and conspicuous” method for opting out of consumer requests?
  • Right of access: In what form should a controller provide personal data to a consumer in response to an access request? What is the right balance between creating an accessible format and providing all of the information requested? What would be the effect of adding “to the extent feasible” to the draft rules?
  • Right to correction: How can language of the rule be used to deter controllers from abusing the purpose of this provision? When consumers and controllers disagree on accuracy, what should happen?
  • Right of portability: Regarding the trade secret exemption - when can algorithms be reverse engineered from disclosing an inference?
  • Do authorization requirements sufficiently consider identity theft?
  • Appeal process: Would additional rules be helpful? Which part of the appeal process needs the most clarification?
Commenters observed that documents presented by authorized agents can be falsified, raising questions of whether a centralized registry or software solution would provide greater assurances of authenticity.

We will continue to monitor rulemaking developments in Colorado.