As comprehensive privacy legislative activity heats up throughout the United States, California and Colorado, two states that have already enacted comprehensive privacy laws, are progressing with finalizing and formalizing rules and regulations that will operationalize both states' laws. In recent months, the California Privacy Protection Agency (CPPA) and the Colorado Attorney General (CAG), both states' privacy legislation enforcement authorities, have been moving forward with draft rules, regulations, and notice and comment periods ahead of target regulatory enforcement dates in July 2023. We summarize the most important developments coming out of California and Colorado, as companies should stay informed as states prepare for enforcement.

California's CPPA Finalizes Draft Regulations, Eyes New Regulations

On February 3, the CPPA unanimously voted to finalize its updated set of proposed California Privacy Rights Act (CPRA) regulations. The regulations include a host of requirements for covered entities and other associated business partners, including new consumer rights, contractual requirements, disclosure requirements, opt-in/opt-out requirements, access request handling requirements, training and record-keeping rules, cybersecurity measures, and data retention standards. The regulations and final statement of reasons were sent to California's Office of Administrative Law (OAL) on February 14, which will now have 30 days for review and approval. Barring any unforeseen circumstances, the CPPA is forecasting that the new regulations will take effect in April ahead of full enforcement on July 1. Entities preparing for CPRA enforcement should take note of the requirements delineated in this initial set of regulations, while also recognizing that the CPPA's focus will then shift to new regulations targeting cybersecurity audits, risk assessments, and automated decision-making. The finalization of the draft regulations was beleaguered with delays given understaffing at the CPPA. As such, the CPPA has added a discretionary enforcement reprieve, which will allow the agency to consider facts and circumstances associated with an entity's good faith efforts to comply with the regulations in light of the amount of time it has taken between the effective date of the CPRA or the CPPA's regulations and possible or alleged violations of those requirements.

Colorado's CAG Releases New Slate of Rules for Notice and Comment

On February 1, the CAG and Colorado's Department of Law held a rulemaking hearing on the newest slate of Proposed Draft Rules for the Colorado Privacy Act (CPA), published on January 27, 2023. Importantly, as companies gear up for compliance with the CPRA and CPPA regulations, many Colorado Draft Rules align with California, while others present key differences. The Proposed Draft Rules also contemplate topic areas that the CPPA has not yet addressed. Below is a short list of the most significant topics noted in the new rules.

Privacy Disclosure Requirements

Clearly distinct from California's regulatory scheme surrounding privacy notices and disclosures, the CAG's Proposed Draft Rules shy away from a "purpose-based" approach to disclosure, whereby controllers would need to provide a specific acceptable purpose for each processing activity. Rather, the draft rules propose a more relaxed approach to notice, only requiring controllers to list purposes in a way that would provide consumers with a "meaningful understanding" of how data is being collected. Still, if controllers process personal data for a "secondary use" (one that was not contemplated at the time of collection), notice and consent are required.

New Duty of Care

The CAG's draft rules propose an affirmative duty of care on behalf of businesses (similar to the "data security standard" under the CPRA). This means that controllers must ensure that personal data is processed "in a manner that ensures appropriate security and confidentiality."

Consumer Rights

In line with other states' comprehensive privacy legislation, Colorado also requires a delineation of consumer rights. Notably, Colorado pays particular attention to profiling (including human profiling) and automated decision-making, providing consumers with the right to receive "final profiling decisions, inferences, derivative data, and other personal data created by a controller which is linked" to an identified or identifiable individual.

Data Retention Requirements

In line with California's proposed regulations, Colorado also mandates that data controllers keep track of data retention practices and ensure compliance with data retention policies. Companies gearing up for compliance with comprehensive privacy legislation should begin conducting data inventories to effectively locate data and effectuate data retention policies and practices.

Data Protection Assessments

The CAG's draft rules include data protection assessment requirements, but recent revisions reduce the amount of information that controllers must include in such assessments. Prior to engaging in processing that presents "a heightened risk of harm to consumers," controllers subject to the CPA must conduct data protection assessments. These assessments apply to processing activities such as targeted advertising or sales, profiling, and sensitive data processing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.