The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”).  These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th.  The Attorney General will convene a formal rulemaking hearing on February 1, 2023.  In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration. 

The revised Draft Rules incorporate a number of edits to the prior draft, including changes to the following terms and requirements:

  • Biometric Data & Identifiers:  The Draft Rules revise the definition of Biometric Identifiers to “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be Processed for the purpose of uniquely identifying an individual…”  The definition of Biometric Data is retained as “Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes.”
  • Publicly Available Information:  The Attorney General’s office revised the definition of Publicly Available Information to remove from its scope “[i]nferences made exclusively from multiple independent sources of publicly available information.” 
  • Changes to a Privacy Notice:  The Draft Rules require notice of “substantive or material changes” to a privacy notice and removes the requirement to provide such notice 15 days in advance.  The Draft Rules define the types of circumstances that would constitute a “substantive or material change” to include (but are not limited to) changes to the categories of personal data processed, processing purposes, controller’s identity, sharing personal data with third parties, the identity of affiliates, processors, or third parties personal data is shared with, and methods by which consumers can exercise their consumer rights requests.  If the change constitutes processing data for a secondary use, the Attorney General amended the Draft Rules to require consent.
  • Refreshing Consent:  The Draft Rules limit the circumstances that require controllers to refresh consent to those where the consumer “has not interacted” with the controller in the prior twelve months and the controller is processing (1) sensitive data pursuant to consent or (2) processing personal data for a secondary use that involves profiling for a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.  The Draft Rules also note that the controller need not refresh consent if the consumer has the ability to “update their opt-out preferences at any time through a user controlled interface.”
  • Universal Opt-Out Mechanisms:  The Draft Rules incorporate a number of changes to the discussions regarding the universal opt-out mechanisms.  For example, the Draft Rules were amended to remove discussion of the “do not sell” list as a potential universal opt-out mechanism.
  • Data Processing Assessments:  The Draft Rules make a number of changes to the required considerations that must be included in a data protection impact assessment, including removing the requirement to consider how the processing is adequate, relevant, and limited to what is reasonably necessary.  The Draft Rules add new considerations that must be addressed, including required assessments of the reasonable expectations of consumers, the sources of personal data, and the technology to be used.  Regarding data protection assessments that assess profiling, the Draft Rules add that an assessment undertaken under another jurisdiction’s law or regulation is sufficient if that data protection assessment is “reasonably similar in scope and effect.”
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.