FPF Files Comments on Colorado Privacy Act Pre-Rulemaking Activity

Today, the Future of Privacy Forum (FPF) filed comments with the Colorado Department of Law regarding forthcoming rulemaking under the Colorado Privacy Act (CPA). The CPA, which goes into effect in July 2023, will establish important new data privacy rights, controls, and protections for individuals in Colorado.

FPF’s comments are directed toward ensuring that forthcoming regulations support the effective exercise of new privacy rights, maximize clarity for business and nonprofit compliance efforts, and promote interoperability with emerging U.S. and global privacy frameworks where appropriate, particularly where the CPA uses consistent language as other jurisdictions.

Specifically, FPF recommends that forthcoming CPA regulations should:

1. Clarify the approval and role of universal opt-out mechanisms in the context of today’s labyrinth of existing permission frameworks, including in non-authenticated interactions and their application to off-site data.
2. Ensure that the CPA’s high standard for obtaining valid consumer consent is realized in practice by providing that consent must be freely revocable and establishing limits on inappropriate “bundling” of consent for disparate processing purposes.
3. Provide appropriate guidance, flexibility, and interoperability for conducting meaningful data protection impact assessments, informed by best practices developed by regulators in both U.S. and global jurisdictions with comparable requirements.
4. Establish that a broad range of ‘profiling’ decisions are subject to consumer opt-out rights and follow best practices for automated decision-making transparency so that Coloradans are fully empowered to exercise their rights.
5. Adopt a definition of “biometric data” that protects individual privacy interests by limiting invasive and non-consensual tracking and identification.