Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.

CPA Statutory Authority for Rulemaking

The CPA authorizes the Attorney General to engage in three rulemaking activities.

First, the Attorney General is granted permissive authority to “promulgate rules for the purpose of carrying out” the CPA. C.R.S. § 6-1-1313(1).

Second, the Attorney General is required to promulgate, by July 1, 2023, “technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(I)(a) or (1)(a)(I)(b).” C.R.S. § 6-1-1313(2).

Third, the Attorney General is authorized, by January 1, 2025, to “adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of” the CPA. The rules must become effective by July 1, 2025.” C.R.S. § 6-1-1313(3).

Attorney General Weiser’s Prepared Remarks

In his prepared remarks, Attorney General Weiser focused on the first of the three rulemaking activities and noted “just a few” of the “big-picture issues [the office] will need to work through” with CPA rulemaking.

The Attorney General first stated that “the process of consumer notice and approval or rejection of data sharing needs to be conducted fairly, free from what some have called ‘dark patterns,’ which can unfairly mislead consumers on this issue.” In addition, the office “will need to consider what the process will be for consumers to engage and learn about their data profiles as well as to correct inaccurate data.” Finally, the CPA’s “vision of company auditing and data protection assessment procedures is another area where we might well want to provide guidance.”

As for the rulemaking process, the Attorney General stated that the office has a “two-step process in mind.” Before drafting rules, the office will hold a series of “high-level conversations and meetings and townhalls . . . to explore what privacy protections in Colorado should look like and what important privacy issues most merit our attention.” In the next few months, the office will “post a series of topics for informal input on” the Attorney General’s website and “solicit responses in writing and at scheduled events.” By the fall, the office will post a formal Notice of Proposed Rulemaking with a proposed set of model rules and will solicit further stakeholder comments. The office anticipates that it will publish final rules by “around a year from now,” approximately six months before the CPA goes into effect on July 1, 2023.

The Attorney General’s comments are consistent with the administrative rulemaking required by C.R.S. § 24-4-103. Further information on Colorado’s rulemaking process is available on the Colorado Department of Regulatory Agencies’ website.

Finally, during the Data Privacy Day event, members of the Attorney General’s office stated that the office has hired two attorneys to assist with rulemaking and CPA enforcement. Georgetown law professor Paul Ohm gave the keynote presentation at the event and announced that he is taking a sabbatical this year, working part-time to assist the Attorney General’s office with the CPA rules.