Alexandra Scott, Lindsey Tonsager, Libbie Canter, and Jayne Ponder of Covington & Burling write:
Recently, the Colorado Attorney General’s office posted a revised draft of the regulations implementing the Colorado Privacy Act. The revisions made a number of changes, and we highlight a few key ones below.
- Specifying that the dark patterns provisions apply in certain circumstances only. The rules clarify that the rules governing dark patterns apply only when designing a “user interface or a choice architecture used to obtain Consent when required under C.R.S. §§ 6-1-1303(5), 6-1- 1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7).” These provisions cite to the CPA’s definition of “Consent;” the conditions in which a consumer can ask a consumer to opt back in to targeted advertising or sales, after the consumer opted out; and the requirement to collect consent for secondary uses of data or processing sensitive data.
- Narrowing the definition of sensitive data inferences to those inferences which “are used to” indicate certain sensitive characteristics. The CPA does not reference “sensitive data inferences.”
Read more at InsidePrivacy.