Colorado Attorney General Releases Proposed Privacy Rules and Begins Holding Stakeholder Meetings

10 November 2022 Innovative Technology Insights Blog
Author(s): Diane Hazel Steven M. Millendorf

On July 7, 2021, Colorado enacted the Colorado Privacy Act (CPA), becoming the third U.S. state to adopt a comprehensive privacy law. As previously described, the CPA doesn’t apply to everyone. Instead, it only applies to “controllers” that conduct business in Colorado and either processes or controls personal data of at least 100,000 Colorado residents per year, or processes and controls the personal data of at least 25,000 and derives any revenue from, or receives a discount, on the sale of personal data. The CPA provides similar rights to consumers as found in the California Privacy Rights Act (CPRA) such as rights to access, correct, and delete personal information together with the right to opt-out of the use of personal data for targeted advertising, but also includes a new right to appeal denied requests.

The CPA grants enforcement powers to the Colorado Attorney General but also obligates them to develop rules governing the privacy of Colorado residents’ personal information and implementing the CPA. This authority includes adopting new regulations regarding the implementation and interpretation of the CPA, and specifically to adopt rules regarding the technical specifications of one or more opt-out mechanisms to communicate a consumer’s affirmative, freely given, and unambiguous choice to opt-out of processing for the purposes of targeted advertising or the sale of personal information.

After engaging in a pre-rulemaking process in which the Attorney General sought input from interested persons about the upcoming rulemaking, the Attorney General released the proposed Colorado Privacy Act Rules (Draft Rules) on September 30, 2022 kicking off the notice-and-comment rulemaking phase. At almost 40 pages long, the Draft Rules are now available for public comment.

Draft Rules Highlights

The Draft Rules address requirements for consumer disclosures (privacy notices), how consumers may submit requests to exercise their privacy rights under the CPA and requirements for responding to those requests, requirements for universal opt-out mechanisms, requirements of loyalty programs, data minimization and permitted uses of personal data, consent requirements for the use of sensitive data, recordkeeping obligations, avoiding dark patterns and other interface requirements, data protection assessments, and profiling. Some of the more impactful provisions include:

  • Universal Opt-Out Mechanisms. The Draft Rules require that controllers be capable of recognizing the universal opt-out mechanism that would function either by listening for an opt-out signal or querying a “do not sell” list that would be published.
  • Privacy Notices. The Draft Rules describe the content of privacy notices required under the CPA. Consistent with FTC guidelines, the controller must notify consumers and obtain consent of substantive or material changes to the company’s privacy practices, but the CPA sets a requirement that the notice be updated at least 15 days prior to the change going into effect. While the Draft Rules explicitly state that a separate, Colorado-only privacy notice is not required, the privacy notice requirements in the Draft Rules are different enough from the privacy notice requirements in other jurisdictions that a separate Colorado-only privacy notice may ultimately be most practical for most businesses.
  • Consent. The Draft Rules specify the circumstances when controllers must obtain consent, such as before processing personal data involving a known child, sensitive data, personal data in specific instances after a consumer has opted out of processing, and personal data that has been collected for a different reason. Many aspects of the consent requirements are consistent with the EU’s General Data Protection Regulation. The Draft Rules also include a first-of-kind provision requiring that consent be refreshed at regular intervals and annually for sensitive data.

Next Steps in Rulemaking Process

To gather feedback from stakeholders, the Attorney General’s Office will host three virtual stakeholder meetings to discuss the proposed draft rules. These stakeholder sessions will occur November 10, 15, and 17, 2022, and focus on specific topics addressed in the CPA and Draft Rules, including consumer rights and universal opt-out mechanisms, business obligations and data protection assessments, and profiling, consent, and definitions.

In conjunction with the publication of the Draft Rules, the Colorado Attorney General’s Office will hold a public hearing on February 1, 2023 that will be conducted in person and by video conference. Anyone can request to testify at the rulemaking hearing and submit public comments. The Attorney General then has 180 days to file the adopted rules with the Secretary of State for publication in the Colorado Register. The CPA goes into effect on July 1, 2023, but the Attorney General made clear that he would not start enforcement of the CPA until binding regulations are in effect.

The Attorney General has emphasized that his office is “open for engagement” and that his “number one [enforcement] priority are those who are willfully noncomplying with the law...” The Attorney General has previewed that his enforcement priorities distinguish between businesses that engage in “good faith, well-intentioned compliance, where you make a footfall” and violate the law from those that engage in “willful noncompliance.” Nevertheless, it remains important to begin undertaking certain activities that demonstrate “good faith, well-intentioned compliance.” In a previous post, we discussed ways that businesses could prioritize certain activities that could be re-used across other privacy regimes. If not already, those organizations qualifying as controllers under the CPA should begin engaging in these activities now. After the Colorado rulemaking hearing, the Attorney General will stop accepting public comments as his office finalizes the rules unless he decides to hold another round of amendments. Given that the CPA will go into effect July 1, 2023 and the Attorney General sought input as part of a pre-rulemaking strategy, it seems unlikely that there will be another round of amendments. Therefore, businesses that wish to provide comments should do so during the initial comment period.

Next Steps for Businesses

Although the CPA does not go into effect for another eight months, businesses should start determining now how the obligations under the CPA and Draft Rules fit within their overall privacy compliance efforts with the other four states that have enacted privacy laws. California is the only other state thus far to release regulations to accompany its privacy legislation, and the Colorado Draft Rules differ from California’s in several material ways.

For more information about complying with the CPA, please contact the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services