On December 5, the Colorado AG’s Department of Law (“Department”) completed its most recent round of rulemaking and adopted a new set of rule amendments for the Colorado Privacy Act (“CPA”). On December 17, the adopted rules were filed with the Secretary of State on December 17, 2024 and will become effective on January 30, 2025. The new rule amendments establish the process of Opinion Letters and interpretive guidance issued by the AG to help businesses. They also implement guidance regarding two bills, House Bill 24-1130 and Senate Bill 24-041, that the Colorado legislature passed in this year’s legislative session. These laws amended the CPA to address the regulation of biometric data and online minors’ data.

The Department first proposed draft amendments to the CPA rules on September 13, 2024 and accepted public input on the proposals from September 25 to November 7, 2025. The Department closed out the public comment period with a public rulemaking hearing on November 7, 2024, which was held in-person and also broadcast online. Most recently, on December 16, 2024, Attorney General Phil Weiser filed a formal opinion that the adopted rules are constitutional and have no legal deficiencies.

In this post, we summarize what the final rule amendments impose and how they differ from the prior proposed versions. We will continue tracking and writing about state privacy law developments in the WilmerHale Privacy and Cybersecurity Law Blog, so follow us to stay up-to-date on the latest privacy news.

Summary and Notable Changes in the Final Rule Amendments

Below we are re-publishing parts of the rule amendment summaries from our prior post along with a brief analysis of any important changes and revisions made to these rule amendments in response to the public comments and hearing. As a reminder, the first rule amendment described below was issued pursuant to CPA section 1313, which states that by January 1, 2025, the AG may adopt rules to “govern the process of issuing opinion letters and interpretive guidance,” intended to provide operational guidance for business compliance. The other rule changes relate to CPA amendments passed in the 2024 legislative session.

• Process details for AG Opinion Letters and interpretive guidance: The rules establish that the AG is empowered to issue Opinion Letters in response to specific requests from individuals or entities (“requestors”) seeking to understand how the CPA would apply to a contemplated data activity. A request for an Opinion Letter must regarding prospective activities and only seek advice on an activity that the requestor will undertake contingent on the advice of the Opinion Letter. Although the AG “will not normally investigate the underlying facts of the requestor’s situation,” a requestor would be able to rely on the Opinion Letter as a good faith reliance defense if an enforcement action were initiated following the issuance of the Letter. The proposed rule amendments also detail who may request an Opinion Letter, the method of requesting, and what factors the AG may consider when deciding whether to respond to a request. If the AG opts to not issue an Opinion Letter, they can still issue Interpretive Guidance, which would provide general advice without having any binding effect and could not be used as a good faith reliance defense. The amendments also state that Interpretive Guidance and Opinion Letters will be published on the AG’s website.
  • What changed: The final rule amendments remained largely the same as the draft version first proposed in September. The main updates to the draft rules addressed the information privacy protections in place for any information shared by the requestor with the AG. The final rules assert that if a requestor submits any data protection assessment conducted “in anticipation of the contemplated processing activity” (as mandated by the rules) as part of the request for an Opinion Letter, these data assessments will be treated as confidential and exempt from public access via a Colorado Open Records Act (“CORA”) request. The rules also affirmatively state that providing the assessment does not constitute a waiver of any other privileges. The final rules also establish that any Opinion Letter published on the AG’s website will have any information redacted and protected as required under CORA. 

• Heightened protections for biometric data: These rule amendments define and detail what should be covered by a “biometric identifier notice,” a new requirement in the CPA. This notice should be “reasonably accessible” and use plain, straightforward language to provide information regarding the collection, purpose, length of retention, and any disclosure of the biometric identifier. Employers are required to collect consent from employees and prospective employees in order to collect and process biometric identifiers. Under these rules, a consumer’s right to access for biometric data obligates a controller to disclose the source of the biometric data, the purpose for which the biometric data is used, and a description of the biometric data and purpose for third-party disclosure (including the identity of the third party).
  • What changed: The final rules clarify that the biometric identifier notice should be made available at or before the initial collection or processing of the biometric data or “before a material change to the processing purpose” of the biometric identifier. The rule, as proposed, initially required the biometric identifier notice to be a separate notice. This provision was revised, so that the notice may be separate or included in a general privacy notice if the privacy notice contains clear labels. Additionally, the final rules clarify that once an employer has the consent from an employee, they are not required to “refresh the consent” if more than 2 years has lapsed—this is an exception to the rules’ general mandate for refreshing consent with regard to biometric identifiers. However, an employer is required to refresh consent if additional categories of the employee’s biometric identifier are added or the data is processed for a secondary use that the employee has not consented to.

• Additional requirements for personal data of minors: The final rule amendments first reiterate that “child” refers to an individual under 13 years old and “minor” refers to any consumer under 18 years. They establish additional obligations for controllers and processors of personal data of minors, including more requirements for data protection assessments conducted for online services, products, or features offered to minors. The rule amendments require valid consent in order to process the personal data of a minor and in order to use “any system decision feature to significantly increase, sustain, or extend the use of an online service, product, or feature” of a consumer who is a minor (one likely application would be in-app purchases for online gaming). Data protection assessments also require an assessment of the sources and nature of any heightened risk of harm to minors that might result from offering an online service, product, or feature to minors.
  • What changed: The final rule amendments remained largely the same as the draft version first proposed in September. The final rules clarify that all valid consent requirements for consumers who are minors apply if the “controller actually knows or willfully disregards” that a consumer is a minor.