Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.

CPA Statutory Authority for Rulemaking

The CPA authorizes the Attorney General to engage in three rulemaking activities.

First, the Attorney General is granted permissive authority to “promulgate rules for the purpose of carrying out” the CPA. C.R.S. § 6-1-1313(1).

Second, the Attorney General is required to promulgate, by July 1, 2023, “technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(I)(a) or (1)(a)(I)(b).” C.R.S. § 6-1-1313(2).

Third, the Attorney General is authorized, by January 1, 2025, to “adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of” the CPA. The rules must become effective by July 1, 2025.” C.R.S. § 6-1-1313(3).

Attorney General Weiser’s Prepared Remarks

In his prepared remarks, Attorney General Weiser focused on the first of the three rulemaking activities and noted “just a few” of the “big-picture issues [the office] will need to work through” with CPA rulemaking.

The Attorney General first stated that “the process of consumer notice and approval or rejection of data sharing needs to be conducted fairly, free from what some have called ‘dark patterns,’ which can unfairly mislead consumers on this issue.” In addition, the office “will need to consider what the process will be for consumers to engage and learn about their data profiles as well as to correct inaccurate data.” Finally, the CPA’s “vision of company auditing and data protection assessment procedures is another area where we might well want to provide guidance.”

As for the rulemaking process, the Attorney General stated that the office has a “two-step process in mind.” Before drafting rules, the office will hold a series of “high-level conversations and meetings and townhalls . . . to explore what privacy protections in Colorado should look like and what important privacy issues most merit our attention.” In the next few months, the office will “post a series of topics for informal input on” the Attorney General’s website and “solicit responses in writing and at scheduled events.” By the fall, the office will post a formal Notice of Proposed Rulemaking with a proposed set of model rules and will solicit further stakeholder comments. The office anticipates that it will publish final rules by “around a year from now,” approximately six months before the CPA goes into effect on July 1, 2023.

The Attorney General’s comments are consistent with the administrative rulemaking required by C.R.S. § 24-4-103. Further information on Colorado’s rulemaking process is available on the Colorado Department of Regulatory Agencies’ website.

Finally, during the Data Privacy Day event, members of the Attorney General’s office stated that the office has hired two attorneys to assist with rulemaking and CPA enforcement. Georgetown law professor Paul Ohm gave the keynote presentation at the event and announced that he is taking a sabbatical this year, working part-time to assist the Attorney General’s office with the CPA rules.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents…

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.

Photo of Shelby Dolen Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data…

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.