The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”).  These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th.  The Attorney General will convene a formal rulemaking hearing on February 1, 2023.  In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration. 

The revised Draft Rules incorporate a number of edits to the prior draft, including changes to the following terms and requirements:

  • Biometric Data & Identifiers:  The Draft Rules revise the definition of Biometric Identifiers to “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be Processed for the purpose of uniquely identifying an individual…”  The definition of Biometric Data is retained as “Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes.”
  • Publicly Available Information:  The Attorney General’s office revised the definition of Publicly Available Information to remove from its scope “[i]nferences made exclusively from multiple independent sources of publicly available information.” 
  • Changes to a Privacy Notice:  The Draft Rules require notice of “substantive or material changes” to a privacy notice and removes the requirement to provide such notice 15 days in advance.  The Draft Rules define the types of circumstances that would constitute a “substantive or material change” to include (but are not limited to) changes to the categories of personal data processed, processing purposes, controller’s identity, sharing personal data with third parties, the identity of affiliates, processors, or third parties personal data is shared with, and methods by which consumers can exercise their consumer rights requests.  If the change constitutes processing data for a secondary use, the Attorney General amended the Draft Rules to require consent.
  • Refreshing Consent:  The Draft Rules limit the circumstances that require controllers to refresh consent to those where the consumer “has not interacted” with the controller in the prior twelve months and the controller is processing (1) sensitive data pursuant to consent or (2) processing personal data for a secondary use that involves profiling for a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.  The Draft Rules also note that the controller need not refresh consent if the consumer has the ability to “update their opt-out preferences at any time through a user controlled interface.”
  • Universal Opt-Out Mechanisms:  The Draft Rules incorporate a number of changes to the discussions regarding the universal opt-out mechanisms.  For example, the Draft Rules were amended to remove discussion of the “do not sell” list as a potential universal opt-out mechanism.
  • Data Processing Assessments:  The Draft Rules make a number of changes to the required considerations that must be included in a data protection impact assessment, including removing the requirement to consider how the processing is adequate, relevant, and limited to what is reasonably necessary.  The Draft Rules add new considerations that must be addressed, including required assessments of the reasonable expectations of consumers, the sources of personal data, and the technology to be used.  Regarding data protection assessments that assess profiling, the Draft Rules add that an assessment undertaken under another jurisdiction’s law or regulation is sufficient if that data protection assessment is “reasonably similar in scope and effect.”
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.