Alerts

The Colorado Privacy Act – What the Draft Rules Say About Privacy Notices and Loyalty Programs

By Odia Kagan
Privacy lock and other privacy icons
Share on:

Fourth in a series of articles on the Colorado Privacy Act draft rules.

There is much to know about Colorado’s draft rules regarding the Colorado Privacy Act, which was enacted in July 2021.

This alert takes a look at the draft rules’ privacy notice and loyalty program provisions.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November. For assistance in submitting comments, contact the author, Odia Kagan.

Additional details on the hearing schedule and provisions for providing comments can be found here.

A privacy notice must include:

  • A comprehensive description of your online and offline Personal Data processing practices, including the following information for each processing purpose:

    • The purpose, in sufficient detail; if it includes targeted advertising or profiling, mention that specifically
    • The categories processed, specifically setting out sensitive information and described in a level of detail that provides consumers a meaningful understanding of the type of Personal Data processed
    • Categories of information that you sell or share
    • Categories of third parties to whom you sell or with whom you share a level of detail that gives consumers a meaningful understanding of what type of entity the third party is, and to the extent possible, how the third party may process Personal Data
    • Additional disclosure for profiling (see below)
    • A list of the data rights available and a description of the methods to exercise them, including instructions for using each method, instructions for submission by an authorized agent, a description of the process for authentication
    • Your contact information
    • Instructions on how to appeal a decision
    • The date the notice was last updated
    • If you delete Sensitive Data Inferences within 12 hours, a description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences

Changes to Privacy Notices:

  • Notice of a substantive or material change to a privacy notice must be made 15 calendar days before the change goes into effect.
  • You must notify consumers of substantive or material changes to a privacy notice, including, but not limited to, changes to:
    • Categories of Personal Data processed
    • Processing purposes
    • Your identity
    • Methods by which consumers can exercise their Data Rights request.
  • Changes to a privacy notice shall be communicated to consumers in a manner by which the controller regularly interacts with consumers.
  • You must obtain consent from a consumer before processing Personal Data for a secondary use, even if the new purpose is disclosed in the privacy notice.

Loyalty Programs

You must provide the following additional disclosures with respect to loyalty programs in your privacy notice, in your loyalty program terms and in the consent disclosures for request to consent to process Sensitive Data in connection with a loyalty program:

  • Categories of Personal Data or Sensitive Data collected through the loyalty program that will be sold or processed for targeted advertising
  • Categories of third parties that will receive the consumer’s Personal Data and Sensitive Data, including whether Personal Data will be provided to data brokers
  • The value of the Bona Fide Loyalty Program Benefits available to the consumer if the consumer opts out of the sale of Personal Data or processing of Personal Data for targeted advertising, and the value of the Bona Fide Loyalty Program Benefits available to the consumer if the consumer does not opt out of the sale of Personal Data or processing for targeted advertising
  • A list of any Bona Fide Loyalty Program Benefits that require the processing of Personal Data for sale or targeted advertising, and the third party receiving the Personal Data and providing each such Bona Fide Loyalty Program Benefit, if applicable
  • You may not increase the cost of or decrease the availability of a product or service based solely on a consumer’s exercise of a data right.
  • You are not prohibited from offering Bona Fide Loyalty Program Benefits to a consumer based on the consumer’s voluntary participation in that Bona Fide Loyalty Program.
  • You may not condition a consumer’s participation in a Bona Fide Loyalty Program on the consumer’s consent to process Sensitive Data unless the Sensitive Data is required for all Bona Fide Loyalty Program Benefits.
  • If the consumer requests that data be deleted or sensitive data not be processed such that is it not possible to provide the loyalty program benefit to the consumer, you need to still provide the benefits that are possible to provide (e.g. non personalized).
  • If a consumer’s decision to exercise a data right affects the consumer’s membership in a Bona Fide Loyalty Program, you must notify the consumer of the impact of their decision at least 24 hours before discontinuing the Consumer’s Bona Fide Loyalty Program Benefit or membership, and must provide a reference or link to the loyalty program disclosures.

Up Next: A detailed look at the consumer rights provisions of the draft rules.

For more information on the Colorado Privacy Act, assistance in submitting comments and other data privacy compliance questions, contact the author Odia Kagan at okagan@foxrothschild.com.