publications
Alerts

The Colorado Privacy Act - What the Draft Rules Say About Consumer Rights

By Odia Kagan
privacy and security online locks
Share on:

Fifth in a series of articles on the Colorado Privacy Act draft rules.

There is a lot to know about Colorado’s draft rules regarding the Colorado Privacy Act, which was enacted in July 2021.

This alert takes a look at the Consumer Rights provisions of the draft rules.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November. For assistance in submitting comments, contact the author, Odia Kagan.

Additional details on the hearing schedule and provisions for providing comments can be found here.

Consumer Rights

The methods for submitting consumer request must:

  • Take into account the ways in which consumers normally interact with the controller
  • Use reasonable data security measures when exchanging information
  • Be easy for consumers to execute, requiring a minimal number of steps; and
  • Not use Dark Patterns
  • The Data Rights request method does not have to be specific to Colorado, so long as the request method
  • Clearly indicates which rights are available to Colorado consumers
  • Provide all Data Rights available to Colorado consumers
  • Provide Colorado consumers a clear understanding of how to exercise their rights
  • Meet all other requirements

Data Minimization

  • For consumer rights request, collect only the information reasonably necessary for authentication or to effectuate the request. You can't require the consumer to create an account to submit the method, but you can require them to use an existing method.

Right to Opt Out

  • A controller must comply with an opt out request as soon as feasibly possible, but not later than 15 days (similar to CPRA).
  • Need to provide an opt out method directly or through a link. If through a link, it must take the consumer directly to the opt out method and explanation (similar to CPRA).
  • You must provide this clearly and conspicuously in the privacy notice or a readily accessible location outside the privacy notice. It must be:
    • Positioned in an obvious location of a website or application, such as the header or footer of a controller’s internet homepage, or an application’s app store page or download page.
    • Available to the consumer at or before the time the Personal Data is processed for the Opt-Out purposes.

Right of Access

Personal Data provided in response to an access request must be:

  • Understandable to the controller’s target audiences, considering vulnerabilities or unique characteristics of the audience and paying particular attention to vulnerabilities of children. This means: concise, transparent and easily intelligible, and avoids incomprehensible or unexplained internal codes and identifiers (GDPR and CPRA standards)
  • Provided in the language in which the consumer interacts with the controller.
  • Provided in a form that would allow the average consumer to make an informed decision of whether to exercise deletion, correction or opt-out rights.

Right to Correction

  • You must instruct all processors that maintain the Personal Data at issue to make the necessary corrections in their respective systems and to ensure that the Personal Data remains correct.
  • You may direct consumers to account settings if correction can be done through them if (1) the process if not unduly burdensome; (2) the instructions meet the transparency/disclosure requirements; (3) you respond in a timely manner .
  • If you decide, based on the totality of the circumstances, that the data is more likely than not accurate, you may decide not to act upon a request.
  • If you received the information from a third party and not the consumer directly, the consumer’s assertion of inaccuracy shall be sufficient to establish that the Personal Data is inaccurate.
  • You may require the consumer to provide documentation if necessary to determine whether the Personal Data, or the consumer’s requested correction to the Personal Data, is accurate. When requesting documentation, you must provide the consumer with a meaningful understanding of why the documentation is necessary.
  • You may only process any data received for the purpose of assessing the accuracy of the data.
  • You must implement proper reasonable security measures for processing this information.

Right to Deletion

  • You may comply by permanently and completely deleting the information or by de-identifying it AND notifying all processors and affiliates to delete the information.
  • For archive/backup data, you may delay compliance until the system is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.
  • If there is an exception to deletion, you must delete all data not subject to the exception and cannot use the information retained for any purpose other than as permitted by the exception.
  • For data obtained from a source other than the consumer: you may comply by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s Personal Data remains deleted from the consumer’s records and not using such retained data for any other purpose, or (ii) opting the consumer out of the processing of such Personal Data for any purpose except for those exempted.

Up Next: A detailed look at the Data Portability, Authentication and other provisions of the draft rules.

For more information on the Colorado Privacy Act, assistance in submitting comments and other data privacy compliance questions, contact the author Odia Kagan at okagan@foxrothschild.com