Colorado Privacy Act Updates

Colorado Privacy Act Updates

Blog WilmerHale Privacy and Cybersecurity Law

Colorado continues to be active with regard to its comprehensive privacy law. September 25, 2024 kicked off the official public comment period on the proposed draft amendments to rules promulgated under the Colorado Privacy Act (“CPA”). The comment period will conclude on November 7, 2024. The proposed rule amendments address the CPA’s mandate for rulemaking around opinion letters and interpretive guidance and two amendments to the CPA regarding biometric data and online minors’ data. Both of the bills containing these amendments, House Bill 24-1130 and Senate Bill 24-041, respectively, were passed and signed by Governor Polis in the legislative session that adjourned earlier this year.

Colorado’s comprehensive privacy law has been in effect for a little over a year. Governor Polis signed the CPA on July 7, 2021 and the law went into effect on July 1, 2023. The first set of rules developed under the CPA were filed on March 15, 2023. CPA section 1313 grants rulemaking authority to the Attorney General (“AG”) for generally two topics. It stipulates that: (1) by July 1, 2023, the AG shall adopt rules relating to universal opt-out mechanisms that can be periodically updated and (2) by January 1, 2025, the AG may adopt rules to “govern the process of issuing opinion letters and interpretive guidance” for creating an operational framework for compliance that businesses could follow. This current rulemaking period addresses that second mandate for establishing the process of opinion letters and interpretive guidance to help businesses and other recent legislation. As required by the statute, these rules must become effective by July 1, 2025.

While there have been no public enforcement actions under the CPA as of yet, the AG’s office did have a press release last year indicating that it was looking to actively enforce the law. These new rules indicate that the office is continuing to take its role under this law seriously. In addition to the AG’s office, the Colorado legislature is also actively focusing on the CPA, including by recently adding to the categories of sensitive data under the law. We elaborate on both the proposed rules to the CPA and the new amendments in the rest of this blog post. 

For the proposed rules, the comment period will run from September 25, 2024 through November 7, 2024. The rulemaking hearing is scheduled for Thursday, November 7, 2024 and is open to the public both in-person and virtually. (Note that comments to be considered for presentation at the hearing must be submitted by October 23, 2024.) We will continue tracking these and other privacy law developments in the WilmerHale Privacy and Cybersecurity Law Blog.

Notable Proposed Rule Amendments

The first major topic for the draft amendments relates to the original CPA provision regarding the issuance of formal guidance from the AG.

  • Process details for opinion letters and interpretive guidance: Under the proposed rules for this process, the AG would be empowered to issue Opinion Letters in response to specific requests from entities (“requestors”) seeking to understand how the CPA would apply to a contemplated data activity. The proposed amendments specify that a request for an Opinion Letter must be prospective, only seeking advice on an activity that the requestor will undertake contingent on the advice of the Opinion Letter. Although the AG “will not normally investigate the underlying facts of the requestor’s situation,” a requestor would be able to rely on the Opinion Letter as a good faith reliance defense if an enforcement action were initiated following the issuance of the Letter. The proposed rule amendments also detail who may request an Opinion Letter, the method of requesting, and what factors the AG may consider when deciding whether to respond to a request. If the AG opts to not issue an Opinion Letter, they can still issue Interpretive Guidance, which would provide general advice without having any binding effect and could be used for a good faith reliance defense. The amendments also state that Interpretive Guidance and Opinion Letters—with identifying information redacted—will be published on the AG’s website.

The other topics for the draft amendments to the rules relate to revisions made to the CPA from this past legislative session.

  • Heightened protections for biometric data: The first group of proposed rule amendments would implement the changes made to the CPA from House Bill 24-1130, which increased protections and strengthened requirements around biometric data. The rule amendments define and detail what should be covered by a “biometric identifier notice,” a new requirement in the CPA. They would require employers to collect consent from employees and prospective employees in order to collect and process biometric identifiers. Under these rules, a consumer’s right to access for biometric data would require a controller to disclose the source of the biometric data, the purpose for which the biometric data is used, and a description of the biometric data and purpose for third-party disclosure (including the identity of the third party). 
  • Additional requirements for personal data of minors: The second group of proposed rule amendments would implement the changes made to the CPA from Senate Bill 24-041, which established additional obligations for controllers and processors of personal data of minors, including more requirements for data protection assessments conducted for online services, products, or features offered to minors. The rule amendments would require consent in order to process the personal data of a minor and in order to use “any system decision feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature” (one likely application would be in-app purchases for online gaming). Data protection assessments would also require an assessment of the sources and nature of any heightened risk of harm to minors that might result from offering an online service, product, or feature to minors.

Updates to the Definition of Sensitive Data

In addition to the CPA amendments and associated rules for H.B. 24-1130 and S.B. 24-041 (as detailed above), the Colorado legislature also enacted H.B. 24-1058, which revised the CPA to add “biological data” and “neural data” to the law’s definition of “sensitive data.” Biological data is defined as “data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes.” The definition of biological data includes neural data, which is defined as information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device. This revision means that a controller must, among other obligations, obtain a consumer’s consent before processing biological data and take other compliance steps, including conduct a data protection assessment, in relation to such data.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel