Recently, the Colorado Attorney General’s office posted a revised draft of the regulations implementing the Colorado Privacy Act. The revisions made a number of changes, and we highlight a few key ones below.
- Specifying that the dark patterns provisions apply in certain circumstances only. The rules clarify that the rules governing dark patterns apply only when designing a “user interface or a choice architecture used to obtain Consent when required under C.R.S. §§ 6-1-1303(5), 6-1- 1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7).” These provisions cite to the CPA’s definition of “Consent;” the conditions in which a consumer can ask a consumer to opt back in to targeted advertising or sales, after the consumer opted out; and the requirement to collect consent for secondary uses of data or processing sensitive data.
- Narrowing the definition of sensitive data inferences to those inferences which “are used to” indicate certain sensitive characteristics. The CPA does not reference “sensitive data inferences.”
- Clarifying the definition of Publicly Available Information. The draft regulations strike the exception to the definition of “Publicly Available Information” that excluded publicly available information that has been combined with non-publicly available information.
- Updating loyalty program disclosure requirements. The new regulations now require controllers to explain why deletion of Personal Information makes it impossible to provide a benefit and why sensitive data is required for a loyalty program benefit.