With Colorado’s new comprehensive privacy law coming into effect this summer, the Insights Association called for clarifications in the proposed rules to aid compliance by the insights industry.
The Colorado Privacy Act, enacted in 2021, comes into effect on July 1, 2023. The Act adds consumer privacy rights, requires privacy notices, opt in to process sensitive data, data protection assessments for high-risk processing activities, and data processing agreements, among other things. The law has similarities to, but by no means meshes perfectly with, other state privacy laws becoming effective this year. The state Attorney General (AG) recently released a third draft of regulations implementing the Act, but has been working on rules since last fall.
In comments filed with the state Attorney General (AG) on January 31, 2023, the Insights Association asked for clarification that the exception from the definition of “targeted advertising” in the Act covers both internal first-party audience measurement and independent audience measurement, for all kinds of content (not just advertising).
“Audience measurement, particularly independent audience measurement, builds the currency upon which advertising and other content, online and off, is valued, and collects covered data about individuals for the purpose of understanding groups,” IA said.
IA also called upon the AG to determine which opt out mechanism will be recognized for the Colorado Privacy Act now, taking “into account the cost of implementing such mechanisms, and which mechanisms are presently being offered in the market as stand-alone technology solutions (rather than components of a larger package) to help medium- and smaller-sized businesses comply.”
Further, the Insights Association strongly urged the AG “to continue to draft rules so that separate privacy policies and even stand-alone, state-specific sections within a given privacy policy are not required.” With already “five different state consumer privacy laws in effect across the United States” by the end of 2023, IA observed that “[a] proliferation of state state-specific notices and disclosures will confuse consumers and not meaningfully further consumer privacy.”
IA also asked the AG to clarify that the same verbiage required by the California Privacy Rights Act (CPRA) as the text for an opt-out link would satisfy the Colorado regulations in place of the AG’s proposed examples (“Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” and “Your Opt-Out Rights”).
In addition, the Insights Association urged the AG to clarify that “where a research subject provides sensitive data (e.g., demographic information concerning race/ethnicity) as part of a market research study, it would be ‘obvious’ that such sensitive data is going to be processed for research purposes, including without limitation to provide research clients with insights into the preferences of specific demographic groups.”
Finally, IA asked that the designation of a consumer’s authorized agent for submitting requests under the Act be limited “to minors, and elderly or incapacitated individuals.”
The Insights Association will continue to pursue a comprehensive federal privacy law most conducive to insights, while preempting the patchwork of state laws. In the meantime, insights companies and organizations need to do everything they can to comply with these laws, and IA hopes that the clarifications requested from the Colorado Attorney General will make such compliance easier in Colorado.
-- IA comments on the Colorado Privacy Act (1/31/23)