The importance of data privacy and protection is being recognized by many countries, and new legislation is being formed. The statistics of the United Nations Conference on Trade and Development show that 71% of countries have their privacy legislation and 9% of the countries are with draft legislation.

In the United States, state law refers to the law of each separate state. Fifty states are separate sovereigns that have their state constitution, state governments, and state courts.

One such state, Colorado released its first draft of the Privacy Act on October 10, 2022, after the public consultation the second draft of the Colorado Privacy Act (CPA) rules was published by the Colorado Office of the Attorney General on December 21, 2022, with further changes made.

This Act has similarities not only with the European Union’s General Data Protection Regulation (GDPR) but also with California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA).

This law secures the new privacy rights for Colorado consumers. Let’s look into the changes that were made compared to the first draft.

WHAT’S NEW?

On comparing the first and the second draft, there were changes based on the public comments and the feedback received from the three stakeholder sessions that were conducted.

Some of the notable changes that were made in the second draft include the updated version of definitions, the purpose-based privacy notices were removed, the requirements of the data protection assessments were changed, and relaxing conditions on when businesses have to seek refreshed consumer consent.

UPDATE ON DEFINITIONS

Some of the existing definitions were updated and new definitions were included. The definition of the terms controller, employer, and employer records were added. The definition of

“commercial product or service” is defined and it also provides some clarification based on the scope of applicability.

One such update made was regarding the definition of consumer rewards programs, that offer benefits to consumers who voluntarily opt into data collection. Considering the first draft, the second draft did not define the “Bona fide loyalty program”, but the latest draft version of the CPA states loyalty program is one in which “established for the genuine purpose of providing discount, rewards or other actual value to the consumers that voluntarily participate”.

REMOVAL OF PURPOSE-BASED PRIVACY NOTICES

The second draft made significant changes in the privacy notices that will benefit the controllers which state that there is no requirement in drafting the privacy notices based on processing purposes.

The first draft rules required the controllers to describe each of the processing purposes and also to provide specific disclosures based on that purpose. But the second draft removed those requirements and included additional information on the controller’s requirement to notify consumers of the substantive or material changes to a privacy notice.

The substantive or the material changes may include but are not limited to, changes to:

1. The categories of personal data processed

2. Processing purposes

3. Controller’s identity

4. Act of sharing personal data with third parties

5. The identity of affiliates, processors, or third parties that personal data is shared or

6. The methods by which consumers can exercise their data rights request.

REFRESHING CONSENT

In the first draft rules, there was a requirement for the controllers to refresh the consent on an annual basis for the processing of sensitive data. Now, according to the second draft rules the refreshing consent is limited to the instances when the consumer has not interacted with the controller in the prior 12 months. The controllers are also not required to refresh the consent when

the consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface.

OPT-OUT OPTION

The initial draft stated that the controllers need to provide an opt-out option directly or through a link in the privacy notice as well as the location outside the privacy notice, but in the second draft, this is no longer needed, but the business needs to provide consumers with a clear and conspicuous method of opting out.

UPDATE ON RIGHTS

The second draft clarifies that a request to access specific pieces of personal data that includes the final profiling decisions, inferences, derivative data, and other personal data that are created by the controller which is linked or reasonably linkable to an individual or identifiable individual.

Now, the right to correction does not extend to the archive or backup systems until the system is restored to an active system or is next accessed or for commercial purposes. If there is a denial of the request to correct based on its determination that the contested personal data is likely to be accurate, then the explanation of that decision to the consumer must be provided.

The controllers also no longer needed to instruct the processors to correct the inaccurate personal data but rather must use the technical and organizational measures or process established by processors.

Regarding the right of deletion, if the controller denies a request to delete based on an exception it no longer needs to provide the consumer with “a list” of personal data that was not deleted but rather must provide the consumer with “the categories” of personal data that were not deleted.

DATA PROTECTION ASSESSMENT

Significant updates were done on the assessments, where the draft rules narrow the topics that the controllers must consider in preparing data protection assessments. The initial draft rules identified 18 topics for consideration, considering the second draft rules the topics are narrowed down to 13. The level of specificity in the rules is an important sign that the assessments are of high importance for the controllers to demonstrate compliance with the CPA. Still, there is a requirement for the

controllers to engage in conducting extensive analysis while conducting these assessments according to the second draft.

DUTY OF CARE

Significant clarifications were made on ensuring the protection of personal data that were collected, stored, and processed where the controllers need to be aware of the requirement to ensure the reasonable, appropriate technical, and organizational, safeguards on such personal data. So, it is an important guide for how the controller should determine what is appropriate, including the consideration of industry standards, the sensitivity of data, and the risk of harm if the data was accessed in an unauthorized manner. There is also the inclusion of provisions related to the processing of sensitive data inferences and species deletion requirements.

On the whole, the second draft of the Colorado Privacy Act rules is more business-friendly and provides the importance of what the controllers should do to comply with the California Privacy Act.

In conclusion, the third draft of the Colorado Privacy Act (CPA) rules was released on January 27, 2023, by the Attorney General’s office based on the public comments on the modified proposed rules of the second draft that was published on December 21, 2022. The Colorado Privacy Act will take effect on July 1, 2023.

From this, it can be implied that the recent wave of legislation comes as concerns over the collection of data grow.

Tsaaro has the best cybersecurity and data privacy professionals, who help in complying with the laws, as the effect of the Colorado Privacy Act is near, get compliance services from Tsaaro.

And also, it is high time to consider upskilling with the CIPPE/US offered by Tsaaro Academy and create an edge.

Tsaaro is equipped with outstanding privacy trainers, who have real-world experience in handling compliance issues for many organizations, various other courses are offered, if you’re looking for upskilling with the privacy courses then visit our website to know more about the various courses offered.

Upskill with Tsaaro!