For years, most privacy policies followed the same core structure—what information is collected, how it is used, and how it is shared. These three types of disclosures were not linked to each other, so consumers were not entirely sure whether how a company may be using or sharing their specific information. For example, a consumer may know that a company collects contact information when they sign up for their newsletter and when they file a customer complaint. The consumer may also know the company sells information to third parties who will then market to them. But, the consumer doesn’t know what information is actually sold to those third parties.
With the advent of the California Consumer Privacy Act (“CCPA”), we saw a new structure begin to emerge that was information-driven. Under this model, businesses had to disclose to consumers what statutorily-defined categories of personal information it collects, whether they sold each category, and the categories of third parties to whom each category of information is sold. To comply with these requirements (and to ensure that consumers understood what the statutory categories of information included), many businesses used some version of the “California Chart”:
|Categories||Examples||Sold||Third Parties to Whom Sold|
|Identifiers||Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers||Yes||Business Partners|
Going back to the original analogy, consumers would now know that the business sells “Identifiers,” which could include name and email address. But, they still would not know whether the business sells all names and email addresses regardless of whether they were collected for the newsletter or through customer complaints. The California Privacy Rights Act (“CPRA”) expanded the information needed in the California Chart, but it kept the same information-driven approach.
The draft rules for the Colorado Privacy Act struck a fundamentally different, purpose-driven approach. Under this approach, for each purpose of collection, companies will need to disclose what types of information are collected, whether that information is used for targeted advertising or sales, and the third parties to whom it is sold. To satisfy this new approach, businesses would need to use a new “Colorado Chart”:
|Purpose||Categories of PI||Targeted Advertising / Sales||Third Parties to Whom Sold|
|Newsletter||Contact Information||No / Yes||Business Partners|
|Customer Service||Contact Information||No / No||N/A|
After the initial draft of the Colorado rules were released, it was widely recognized that this purpose-based approach was different from the California information-based approach. However, when the Colorado Attorney General released revised rules, many commentators seemed to read them as meaning that the California Chart would satisfy Colorado requirements. But looking at the actual changes, it appears that the Colorado approach is still very much purpose-driven: the Colorado rules still require businesses to disclose the same set of information (i.e., the categories of information, whether it is used for targeted advertising and sales, and the categories of third parties to whom it is sold), but “linked in a way that gives Consumers a meaningful understanding of how their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose.” The California Chart—or any information-driven disclosure—simply does not link the disclosure in this manner because their disclosures are tied to the type of information and not to the purpose. While a company could theoretically alter the California Chart to break out purposes for each category of information, this exercise would likely be confusing.
Simply put, unless another revised draft of the Colorado rules change course, privacy policies appear to be one area where companies likely cannot find a “lowest common denominator” for uniform compliance across the board. Instead, it is an area where the “laboratories of democracy” are testing new approaches in an effort to find what strikes the best balance between protecting consumers and enabling businesses to function without overwhelming compliance costs. Companies should therefore resist the urge to believe that complying with the CPRA automatically means that they are complying with the CPA.