Second in a series of articles on the Colorado Privacy Act draft rules.

There is a lot to know about Colorado’s draft rules regarding the Colorado Privacy Act, which was enacted in July 2021.

This alert takes a look at the draft rules consent provisions.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November. For assistance in submitting comments, contact the author, Odia Kagan.

Additional details on the hearing schedule and provisions for providing comments can be found here.

Accountability / Documentation

• You must retain records of all Consumer Data Rights requests made for at least twenty-four (24) months.
• You must also retain records of all data rights requests with which you complied and with respect to data minimization, secondary uses and children’s consent.
• You may not use information retained for this purpose for any other purpose.

Consent

Consent is required for:

• Processing Sensitive Data
• Processing Personal Data concerning a known child, in which case the child’s parent or lawful guardian must provide consent;
• Selling a consumer’s Personal Data, Processing a consumer’s Personal Data for targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer after the consumer has exercised the right to opt out of the processing for those purposes; and
• Processing Personal Data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the Personal Data are processed

Consent must:

• Be obtained through the consumer's clear, affirmative action
• Be freely given by the consumer
• Be specific
• Be informed
• reflect the consumer’s unambiguous agreement

Clear affirmative action:

• This is either (a) deliberate and clear conduct, or (b) a statement that clearly indicates their acceptance of the proposed processing of their Personal Data.
• A blanketed acceptance of general terms and conditions, silence, inactivity or in action, pre-ticked boxes, and other negative option opt-out constructions that require intervention from the consumer to prevent agreement are not clear affirmative actions for the purposes of valid consent.

Freely given:

• Consumers should be able to withdraw consent easily and without detriment.
• Consent can’t be bundled with other terms and conditions.
• You cannot condition the performance of a contract on consent to processing which is not necessary to provide the goods or services contemplated by the contract.
• You cannot deny goods, services, discounts, or promotions to a consumer who chooses not to provide consent.

Specific:

• You must provide the ability to separately consent to each purpose — .no bundling
• Consent to process data for one purpose is not consent to process for another purpose — you need to specify the parties.
• Consent to sell or share data to certain parties is not consent to sell or share to other parties.

Informed:

• You need to provide all the disclosures required by the law in order for consent to be valid.
• Consent obtained through Dark Patterns does not constitute consent.
• Requests for consent must be prominent, concise, and separate and distinct from other terms and conditions.
• To get consent you can’t just direct someone to your privacy notice. You must direct them to the specific relevant section in the privacy notice.

Consent after an opt out:

• If a consumer has opted-out of the processing of Personal Data for the Opt-Out Purposes, and then initiates a transaction or attempts to use a product or service inconsistent with the request to opt-out, such as signing up for a Bona Fide Loyalty Program that also involves the sale of Personal Data, you may request the consumer’s consent to process the consumer’s Personal Data for that purpose
• [For individuals that have opted out through a UOOM], displaying a pop-up banner seeking consent to share the consumer’s Personal Data for targeted advertising is not a valid request for consumer consent because the request is made through a pop-up banner that degrades or obstructs the consumer’s experience on the controller’s web page or application.

Consent for Children:

• If you operate a website or business directed to children or have actual knowledge that it is collecting or maintaining Personal Data from a child, you must take commercially reasonable steps to verify a consumer’s age before processing that consumer’s Personal Data.
• If you process the Personal Data of a child, you must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology.
• The rules list methods for consent that are similar to the ones set forth in COPPA.

Withdrawing consent:

• A consumer shall be able to refuse or revoke consent as easily and within the same number of steps as consent is affirmatively provided.
• If consent is obtained through an electronic interface, the consumer shall be able to refuse or withdraw consent through the same electronic interface.

Refreshing consent:

• You must refresh consent at regular intervals based on the context and scope of the original consent, sensitivity of the Personal Data collected, and reasonable expectations of the consumer.
• If a processing purpose materially evolves such that the new purpose becomes a secondary use, the consumer’s original consent is no longer valid. You must obtain new Consent.
• For processing of Sensitive Data, consent must be refreshed at least annually.

Dark Patterns:

• You cannot use an interface design or choice architecture that has the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a consumer into providing consent.
• Consent choice options should be presented to consumers in a symmetrical way that does not impose unequal weight or focus on one available choice over another.
• Consent choice options should avoid the use of emotionally manipulative language or visuals to coerce or steer consumer choice.
• A consumer’s silence or failure to take an affirmative action should not be interpreted as acceptance or consent.
• Consent choice options should not be presented with a preselected or default option.
• A consumer should be able to select either consent choice option within the same number of steps.
• A consumer’s expected interaction with a website, application, or product should not be unnecessarily interrupted or intruded upon to request consent.
• Consent choice options should not include misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain consent.
• The vulnerabilities or unique characteristics of the target audience of a product, service, or website should be considered when deciding how to present consent choice options.
• User interface design and consent choice architecture should operate in a substantially similar manner when accessed through digital accessibility tools.
• Consent obtained in violation of the rules may be considered a Dark Pattern.
• The fact that a design or practice is commonly used is not, alone, enough to demonstrate that any particular design or practice is not a Dark Pattern.

Up Next: A detailed look at the Data Protection Assessment provisions of the draft rules.

For more information on the Colorado Privacy Act, assistance in submitting comments and other data privacy compliance questions, contact the author Odia Kagan at okagan@foxrothschild.com.