With 2022 behind us, what will companies need to address for U.S. privacy laws in the first half of 2023? New regulations. The latest regulation drafts for California and Colorado have a number of requirements that differ from the statutes and may require changes to privacy operations and business practices. Here are nine areas that may require changes:

1. Adjusting individual rights receipt and response processes

Both drafts specify how companies must receive individual rights requests, and when multiple methods must be offered. Companies that have a website and physical presence must have two or more methods with one being online. Colorado may require another to be in person and California will require one to be by toll-free number. This means some businesses may need more than two methods to comply with both proposals. 

Processes for responding to rights requests may need to be updated:

• Agents. Requests by agents would not be able to require notarized authorizations in Colorado, unless the requestor is reimbursed for the notarization fee; all rights requests must be free.
• Access. Responses to access requests may need to be updated to provide all personal data in Colorado, including profiling decisions, inferences, and data derived from personal data. They may need to be supplemented with contextual information to be concise, transparent and easily intelligible, including by avoiding “incomprehensible internal codes” and including explanations to empower informed decisions by the individual.
• Correction. Requests to correct personal data can only be directed to self-serve tools if the individual can make all requested corrections in this manner under the Colorado proposal. Both proposals also clarify that correction must be done in all systems where the data exists.  California proposes detailed requirements about accepting and requesting documentation to justify a correction request that will require procedures to address. Responses to correction requests that are not fully fulfilled must detail the reasons why, and if possible, to delete in lieu of correcting, instructions for submitting a deletion request must be provided in California. 
• Deletion. California’s draft requires details to be provided in response to deletion requests that are not fully fulfilled. Categories of data that are not deleted must also be detailed in responses to requests in Colorado.  
• Denials. For requests that are denied or not fully fulfilled, details about the denial and incomplete fulfillment may need to be provided. For example, the Colorado draft requires the response to indicate the specific basis for not fulfilling a request including, if applicable, describing the specific statutory exception relied upon. Colorado requires responses to denied or not-fully-fulfilled requests of any type to include instructions for appealing the decision.

Records of all individual rights requests received, and how they’re responded to, would need to be retained for 24 months in Colorado.

2. Integrating rights fulfillment with vendor and service provider practices

The draft regulations further detail actions controllers must take to address individual rights requests when they allow vendors, or third parties to process personal data. For example, California clarifies fulfilling a deletion request includes notifying all service providers and contractors, and all third parties they “sell” or “share” with, that have personal data in-scope for the request. Colorado’s regulations would require access requests to provide data maintained by processors. Colorado’s proposal would require controllers to utilize processor tools and processes for communicating and fulfilling individuals’ rights requests they receive, including for opt-out, access, correction and deletion.

3. Receiving and actioning various types of opt-out signals

The drafts provide additional technical and operational requirements for addressing opt-out signals that may require more than cookie-centered solutions. Colorado would mandate honoring “universal opt-out” mechanisms recognized by the state by July 2024, including for targeted advertising and sales of personal data. California would expand current regulations requiring honoring a global privacy control signal as a “do not sell” request to also count as a do not “share” (for cross-context behavioral advertising) request. Neither proposal would allow companies to request additional data to authenticate identities before honoring, but both require companies to honor requests for associated consumer records and profiles (not just the specific browser or device). Both proposals contain additional restrictions if opt-out status is communicated to individuals or asking for consent after a signal is received.

4. Website, application and other changes when collecting personal data and consent

The regulations may require other disclosures and user interface changes when collecting personal data, as not all information can be in a privacy notice. For example, California clarifies existing “notice at collection” requirements to include detail about whether the data is “sold” or “shared” and retention information. When the data is collected on the phone or in a physical location, California may require disclosures then, including about the right to opt-out of having the data “sold” or “shared.” Colorado proposes requiring each specific purpose for which personal data is collected and processed to be disclosed, potentially separate from the privacy notice.

Colorado has also proposed detailed requirements for obtaining and maintaining consent, when required. Consent to a privacy notice is likely insufficient; rather, affirmative action, freely given, that is specific, informed and shows unambiguous agreement is required and the regulations provide dos and don’ts for each of those required elements. For example, separate consents are required for different processing purposes. Detailed disclosures are required to make it “informed,” with some of the disclosures being required within the “consent interface” not in any linked notice. Some consents may need to be refreshed if a consumer does not interact with the company in any 12-month period.

Both California and Colorado prohibit “dark patterns” including when seeking consent or allowing revocation of consent, and both sets of regulations contain detailed guidance for identifying dark patterns. A privacy focused review of data collection and consent practices will likely be needed to address these requirements, and as California may look to the impact of design choices in evaluating whether a dark pattern exists, privacy reviews may want to consider commonly collected A/B testing results and data justifying design choices. 

5. Enhancing and embedding privacy assessment processes

Companies may need to expand and enhance protocols for requiring privacy reviews in different teams or business units. For example, Colorado’s draft requires cross-functional stakeholder participation to examine a number of topics in a data protection assessment when required by the law or regulations. Existing privacy assessment practices may need to be expanded to cover all the draft requirements, including documenting which stakeholders contributed and getting signatures of those who reviewed and approved the assessment. All assessments need to be completed before any personal data processing starts, and some must be reviewed and updated periodically (or annually in some cases).

Colorado also has proposed requiring a data minimization assessment whenever personal data is collected and before secondary uses occur, and California has requirements whenever personal data is collected that may require a form of privacy assessment. For some personal data types, Colorado would require a re-assessment of a data minimization assessment at least annually. Colorado has detailed requirements for what these assessments must consider and would require retention of the documented assessments for three years after the processing stops.

6. Operationalizing do not sell or share requirements including with contracting practices

The California draft clarifies that if personal data is provided to another company without a contract that contains all the requirements of a “service provider” or “contractor” — including specific contract provisions in the regulations — then that can be a “sale” or “sharing” for which opt-outs need to be offered and honored. Risk-based decisions about vendors without compliant contracts may need to be revisited based on this clarification, with a more compliant approach justifying renewed efforts to update contracts, cease use of vendors who won’t agree to required contract terms, or suppressing data disclosures for those who opt out. 

On a go-forward basis, contracting and contract expansion and renewal processes should be updated to ensure required contract terms are in place.

7. Loyalty club disclosures and balancing with individual rights

The Colorado draft has requirements for balancing personal data needs of “bona fide loyalty clubs” with individual data rights, such as for data deletion. These include general requirements to continue to offer loyalty club benefits while honoring deletion requests to the extent possible, and to notify individuals requesting data rights before fulfilling a request that would impact loyalty club benefits. Companies with loyalty clubs may need to change programs and processes to address these regulations, and update privacy policies, program terms and consent disclosures to include required details (e.g., the value of benefits if opting out of sale or use of personal data for targeted advertising, what benefits require personal data, etc.).

8. More privacy notice changes and update protocols may be needed

The drafts include details about what must be contained in a privacy notice, and some companies may need further updates to comply. For example, Colorado requires descriptions of the types of third parties that personal data may be shared with that may be more granular than existing disclosures, such as “data brokers,” “lenders” and “payment processors” rather than “partners” or “vendors.” It also would require details about appeal rights from individual rights requests that are not fully processed.

Colorado’s proposal also includes prescriptive requirements for communicating material or substantive changes to privacy policies. The regulations specify that an array of change types such as to categories of personal data processed, the identity of affiliates or processors, or how to request individual rights, are material or substantive. 

9. 'Profiling' practices may need to be adjusted and better described

Colorado’s draft includes additional requirements for “profiling” — automated processing to evaluate, analyze or predict information about an individual — when it’s producing legal or other significant effects. Details need to be provided in a privacy notice about the profiling, including for example about what decisions and personal data are subject to it, how the logic works, how humans are involved, and if the process is evaluated for accuracy fairness or bias. The regulations also set criteria for how much human involvement is required before an opt-out does not need to be honored for the profiling, and what must be disclosed to the individual if the opt-out is not honored in such circumstances. Specific criteria are also identified for evaluation in a privacy (data protection) assessment of profiling applications that produce legal or other significant effects, so review processes may need to be supplemented to include these criteria.

For companies that prioritize regulatory compliance, first half of 2023 privacy priorities should include a close review of the final California and Colorado regulations, which appear set to have operational and business impacts beyond those required by the laws alone.