Third in a series of articles on the Colorado Privacy Act draft rules.

There is a lot to know about Colorado’s draft rules regarding the Colorado Privacy Act, which was enacted in July 2021.

This alert takes a look at the Data Protection Assessments provisions of the draft rules.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November. For assistance in submitting comments, contact the author, Odia Kagan.

Additional details on the hearing schedule and provisions for providing comments can be found here.

Data Protection Assessments

• A data protection assessment must be a genuine, thoughtful analysis that: (1) identifies and describes all risks posed by processing that presents a heightened risk of harm to a consumer; (2) documents the measures considered and taken to address and offset those risks; (3) contemplates the benefits of the processing; and (4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.
• You can use a DPIA done under another legal regime if it meets the requirements of the regulations.
• The depth, level of detail, and scope of data protection assessments should be proportionate to the size of the controller, amount and sensitivity of Personal Data processed, and Personal Data processing activities subject to the assessment.
• You must involve all relevant internal actors from across your organizational structure, and where needed, relevant external parties, to identify, assess and address the data protection risks.
• The regulations contain a prescriptive list of the elements that must be included in a DPA, which generally mirror the requirements under GDPR.
• You need to do the DPA before initiating the relevant processing and you need to update it periodically, as well as when existing processing activities are modified in a way that materially changes the level of risk presented.
• You must make the data protection assessment available to the Attorney General within thirty (30) days of the Attorney General’s request.

Profiling:

• The Automated Processing used in profiling includes Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing.
• You need to provide expanded disclosure regarding profiling activities [which is broader than under GDPR] including: (1) a plain language explanation of the logic used in the profiling process; (2) why profiling is relevant to the ultimate decision; (3) if the system has been evaluated for accuracy, fairness, or bias, including the impact of the use of Sensitive Data, and the outcome of any such evaluation; (4) the benefits and potential consequences of the decision concerning the consumer; and (5) information about how a consumer may exercise the right to opt out.
• You must conduct and document a data protection assessment before processing Personal Data for profiling if the profiling presents a reasonably foreseeable risk of: (1) unfair or deceptive treatment of, or unlawful disparate impact on consumers (including violation of UDAP or antidiscrimination laws); (2) financial or physical injury to consumers; (3) a physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or (4) other substantial injury to consumers (includes, but is not limited to, a small harm to a large number of consumers).
• This data protection assessment needs to include additional requirements.

Disclosures/Transparency:

• A privacy notice must provide consumers with a meaningful understanding and accurate expectations of how their Personal Data will be processed
• You are not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the controller’s privacy notice contains all information required in this section and makes clear that Colorado consumers are entitled to the rights provided by CPA.

The disclosure must be: [Similar to the GDPR and CPRA regulations standard]

• Concrete and definitive — no abstract or ambivalent terms.
• Clearly labeled (especially re: the rights) [similar to DPC in WhatsApp]
• Understandable and accessible to a controller’s target audiences, considering the vulnerabilities or unique characteristics of the audience and paying particular attention to the vulnerabilities of children.
• Reasonably accessible to consumers with disabilities, including through the use of digital accessibility tools.
• Available:

1. Online through a conspicuous link using the word “privacy” on your website homepage or on a mobile application’s app store page or download page. If you maintain an application on a mobile or other device, it also must include a link to the privacy notice in the application’s settings menu.
2. Offline, through a medium regularly used by the controller to interact with consumers

• Specific enough to enable a consumer to understand, in advance or at the time of the processing, the scope of the controller’s processing operations, such that a consumer should not be taken by surprise at a later point about Personal Data that has been collected and the ways in which Personal Data has been ;processed.
• Available in the languages in which the controller in its ordinary course provides web pages, interfaces, contracts, disclaimers, sale announcements and other information.
• Available through an interface regularly used in conjunction with the controller’s product or service.
• Readable on all devices through which consumers interact with the controller, including on smaller screens.

Public data privacy:

• A visual observation of an individual’s physical presence in a public place by another person is considered publicly available but "data collected by a device in the individual’s possession" is specifically carved out from this definition.
• Doesn't include: (1) Inferences made exclusively from multiple independent sources of publicly available information; (2) Biometric Data; (3) Genetic Information; (4) Publicly Available Information that has been combined with non-publicly available Personal Data; or (5) Nonconsensual Intimate Images known to the controller.

Up Next: A detailed look at the Privacy Notice provisions of the draft rules.

For more information on the Colorado Privacy Act, assistance in submitting comments and other data privacy compliance questions, contact the author Odia Kagan at okagan@foxrothschild.com.