This is part III in a four-part series on the Colorado Privacy Act. In this part, we address the requirements of a privacy notice along with information on special categories of processing – targeted advertising, sales of personal data, and profiling – including what must be offered to consumers to opt out of these activities. In the other parts of this series, we covered other aspects of the CPA, such as:
Transparency (Privacy Notice)
Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes
Even though it is not an explicit requirement under the CPA to document data processing activities, the privacy notice disclosures require that controllers identify their processing activities, from collection of personal data through disclosure to third parties.
Special Processing Activities and Consent
Controllers must offer convenient methods for consumers to opt out of having their data processed for targeted advertising, sales of personal data (taking into account the broad definition of sell), and profiling that carries significant consequences for consumers. The latter is reminiscent of the GDPR, but Colorado specifies what the significant consequences are that trigger the ability to opt out of profiling along with defining “profiling.”
Profiling. Profiling “means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Legal or significant effects that may come from profiling are specified as decisions that result in “the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.”
Targeted advertising. Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affiliated websites, applications, or online services to predict consumer preferences or interest. It does include processing personal data solely for advertising performance, reach, or frequency metrics.
Targeted advertising also does not include advertisements:
Opt out methods. Controllers must provide a clear and conspicuous method for consumers (or their authorized agents) to opt out both in any required privacy notice and in a clear and conspicuous and readily accessible location outside the privacy notice. Interestingly, the “authorized agents” may indicate the consumers’ intent through weblinks indicating a preference, browser settings or extensions, or global device settings. Indeed, the technology designed and operated by entities may be deemed authorized agents, according to the language, thereby eliminating complex authorization confirmation protocols, such as notarized appointment letters.
Technical specifications. Colorado requires the Attorney General’s office to establish technical specifications for universal opt-out mechanisms.
Important dates. These mechanisms are optional until July 1, 2024, after which controllers must offer consumers the ability to opt out of targeted advertising, sales of personal data, and profiling using universal opt-out mechanisms.
Consent. However, consumer consents to such options if provided appropriately, take precedence over the choices in the universal opt out mechanisms. Consent may be obtained through webpages, applications, or similar technology and provides clear and conspicuous notice about the choices available, categories of personal data collected and the purposes and providing how and where consumers may also revoke such consent. The withdrawal of consent must be available as easily as the consent was given – another concept directly from the GDPR.
Specifically, consent does not include acceptance of general or broad terms of use or other documentation that includes descriptions of data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content (so no implicit consent), or agreement obtained through dark patterns – defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.
Visit the TrustArc blog next Wednesday, 7/7, for part IV of the blog series, covering the responsibilities of both controllers and processors, data protection assessments, and contracts within the Colorado Privacy Act.
This content was originally published here.