Communications Litigation Today was a Warren News publication.
'Ramp Up'

Industry Asks Colorado to Delay Latest Privacy Regulations

Colorado should extend the effective date for companies to comply with the latest revisions to the state's privacy law, and enforcers should consider mirroring data security regulations in other states, industry groups told Colorado Attorney General Phil Weiser (D) in recent comments.

Weiser should delay the effective date to at least 12 months from the date the rules are finalized, commented TechNet. July 1 isn’t enough time for companies to comply with the rules’ detailed requirements, the group said. The organization said the state should be focused on “enhancing interoperability across state lines for industry compliance purposes and to help Colorado contribute to a more cohesive national regulatory framework.”

U.S. Chamber of Commerce seeks tight alignment of Colorado rules with other jurisdictions’ privacy regulations, including by harmonizing the definition of biometric identifiers with Virginia, Connecticut and Utah laws. Colorado's proposed profiling rule is broader than the EU general data protect regulation (GDPR), “extending to profiling that includes human reviewed automated processing,” said the Chamber: Consumers' opt-out right should be narrowed "to only include solely automated processing.”

Delay the rules’ July 1 effective date by six to 12 months, said Denver Metro Chamber of Commerce, “to allow businesses to ramp up their data privacy protections, align corporate design cycles to sync with new privacy disclosure requirements, develop capacity to recognize and honor [universal opt-out mechanisms (UOOMs)], establish internal processes to administer consumer data requests, and make any other required adjustments before enforcement."

State regulators should follow the lead of other states and specifically reference industry best cyber practices in its duty of care section, said the Center for Internet Security. Nevada, Ohio, Utah, Connecticut and California list specific examples of industry best practices that constitute reasonable cybersecurity, said CIS.

Companies shouldn’t be forced to get consumer consent when using personal data from loyalty programs for targeted advertising purposes, a group of advertiser trade groups commented. The group included the Association of National Advertisers, the Interactive Advertising Bureau, the Digital Advertising Alliance, the American Association of Advertising Agencies and the American Advertising Federation. Colorado proposed the sale of personal data or data processing from targeted ads that’s unrelated to data-sharing from a loyalty program is “secondary use” that requires consent. The trade groups argued the “utility and feasibility of a loyalty program is diminished” without the ability to transfer personal data in the context of loyalty programs, and “typically entirely eliminated.” Data monetization is vital to loyalty programs, they said. They suggested consumers be required to actively turn on universal opt-out mechanisms, rather than having UOOMs turned on by default, as proposed. Such a change would convert the law’s opt-out for sales and targeted advertising to an opt-in, the groups said.

Colorado should remove the UOOM provision altogether, said the Computer & Communications Industry Association. This revision contradicts the CPA’s “direct guidance that the opt-out mechanism clearly represents the consumer’s affirmative, freely given, and unambiguous choice to opt-out.” The change might result in a “significant number of erroneous opt-out signals,” said CCIA.

Recent revisions have overly broadened requirements for consumer access requests, U.S. Chamber said. Additionally, the rule's protection of trade secrets in a section on portability should also apply to rules on general access rights, it said. The Chamber disagreed with proposed rules that equate buying a product that includes a UOOM as a choice to use that feature. "Consumers might adopt a particular browser for a variety of reasons not necessarily related to the marketed opt-out settings and thus not representative of an unambiguous choice.”

The Colorado Retail Council objected to rules saying that the primary purpose of loyalty programs is to be to provide benefits to consumers. That’s “a standard that cannot be met and would result in retail customer loyalty programs being considered unlawful discriminatory acts,” the council said. “The primary good-faith purposes for retail loyalty programs are to attract and retain customers, enhance customer engagement, and deepen the customers’ relationships with the retailer over time to the mutual benefit of the customers and retailer.”

Retailers also chafed at being required to comply with universal opt-outs. "Such technical capabilities do not currently exist” and “technologists widely agree that there is no consistent standard or technology that captures this requirement,” said the council: Controllers should get at least six months to implement approved UOOMs. Also, the group urged limiting the scope of biometric identifiers to those related to biological traits. "Extending the term to physical and behavioral characteristics would vastly expand the scope of the definition beyond the core policy concerns, such as to personalizing clothing sizes or hobby recommendations.” Connecticut, Utah, Virginia, Illinois, Texas and Washington state use the narrower definition in their comprehensive or biometric privacy laws, it said.

NPR and other public radio stations praised the latest draft for clarifying that the CPA isn’t meant to restrict journalism or constitutionally protected freedom of speech. “Personal data is collected and processed during crucial newsgathering activities like cultivating sources, conducting interviews, notetaking, making recordings, collaborating with colleagues, protecting the identities of confidential sources, and preparing materials for publication or broadcast,” the radio group noted.

The Colorado AG office listened to concerns from businesses and consumer advocates about proposed rules, at a hearing Wednesday (see 2302010043). California’s privacy agency approved California Privacy Rights Act (CPRA) draft rules Friday (see 2302030065).