EPIC was represented by the Samuelson-Glushko Technology Law and Policy Clinic (TLPC) at Colorado Law.
Introductory Discussion Body Below – for Full Comment and Appendix with Recommend Statutory Changes, Download the full PDF.
The Electronic Privacy Information Center (EPIC) is a public interest research center based in Washington, D.C. that was established in 1994 to focus public attention on emerging privacy and related human rights issues and to protect privacy, the First Amendment, and constitutional values. EPIC has a long history of promoting transparency and accountability for information technology. EPIC respectfully submits these comments in response to the Colorado Attorney General and the Department of Law’s (collectively, the Department’s) notice of proposed rulemaking (NPRM) seeking comment on proposed draft rules implementing the Colorado Privacy Act in the above-referenced docket. We commend the Department for its work to establish privacy protections for Coloradans and urge the Department to revise certain provisions in its proposed rules to provide Consumers and Controllers clear guidance with respect to their rights and duties.
Below, please see our feedback to specific questions raised by the NPRM, followed by general comments on issues that are not specifically raised by the NPRM. Our feedback is organized in the order of the nine sections mentioned in the NPRM. We have also included an appendix that contains suggested line edits for the following specific rules:
Rule 2.02 DEFINED TERMS
Rule 4.02 SUBMITTING REQUESTS TO EXERCISE PERSONAL DATA RIGHTS
Rule 4.03 RIGHT TO OPT OUT
Rule 4.04 RIGHT OF ACCESS
Rule 4.05 RIGHT TO CORRECTION
Rule 4.06 RIGHT TO DELETION
Rule 4.07 RIGHT TO DATA PORTABILITY
Rule 4.08 AUTHENTICATION
Rule 4.09 RESPONDING TO CONSUMER REQUESTS
Rule 5.07 SYSTEM FOR RECOGNIZING UNIVERSAL OPT-OUT MECHANISM
Rule 5.08 OBLIGATIONS ON CONTROLLERS
Rule 5.09 CONSENT AFTER UNIVERSAL OPT-OUT
Rule 6.04 CHANGES TO A PRIVACY NOTICE
Rule 6.05 LOYALTY PROGRAMS
Rule 6.06 PURPOSE SPECIFICATION
Rule 6.07 DATA MINIMIZATION
Rule 7.04 REQUESTS FOR CONSENT
Rule 8.02 SCOPE
Rule 8.03 STAKEHOLDER INVOLVEMENT
Rule 8.05 TIMING
Rule 8.06 ATTORNEY GENERAL REQUESTS
Rule 9.06 DATA PROTECTION ASSESSMENTS FOR PROFILING
These comments and proposed edits were initially prepared in significant part based on the draft rules released on Oct. 10, 2022. Based on the Department’s unexpected release of a second version of draft rules with extensive revisions on Dec. 21, 2022, we have prefaced the portions of our comments that respond to the first version of the draft rules with [v1] and supplemented where possible with additional reactions to the most significant and substantive revisions in the second version of the draft rules, prefaced with [v2]. However, the large extent of the revisions and their unexpected release has prevented us from reflecting every change in the second version of the draft rules here, including in the Appendix. We ask that the Department construe these comments and proposed edits consistent with the substantive points articulated below.
Given the significant breadth, depth, and complexity of the rules, we also urge the Department to announce future revisions to the draft rules in advance, accompanied by a deadline before which comments must be received to have impact on an announced revision. Doing so would reflect typical agency comment cycles and administrative law principles and would help ensure that all commenters have reasonable notice of substantive changes and reasonable opportunities to respond in earnest to the complex substance of this rulemaking.