Keypoint: The comments focus on identifying areas in which the Attorney General’s Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the Colorado Privacy Act with state and international privacy laws.

The Colorado Attorney General’s Office is currently accepting pre-rulemaking input on the Colorado Privacy Act (CPA). It also will host public listening sessions on June 22  and June 28 for those interested in providing oral comments.

Given the importance of these forthcoming regulations to the development of U.S. privacy law, members of Husch Blackwell’s data privacy practice submitted extensive comments to the Office. The purpose of the comments is to identify areas in which the Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the CPA with other state privacy laws enacted in California, Connecticut, Utah, and Virginia and international privacy laws such as GDPR.

The key points made in the comments are as follows:


  • Revocation of Consent: The regulations should clarify whether Colorado residents may revoke consent for the processing of sensitive data and for incompatible purposes. This is particularly important given that the Connecticut Consumer Privacy Act and many international privacy laws allow for the revocation of consent.
  • Interaction of Consent and Opt-Out Signals: The regulations should clarify how controllers can obtain consumer consent to sell personal data or engage in targeted advertising after receiving an opt-out signal. In particular, the regulations should confirm whether controllers can use cookie consent banners to obtain consent.

Consumer Requests

  • Methods to Receive Opt-Out Requests: The regulations should elaborate on what constitutes a “clear and conspicuous method” for exercising consumer opt-out rights. The regulations should allow controllers the discretion to utilize links other state privacy laws require (e.g., the California Privacy Rights Act) so long as the use of such links allows consumers to exercise their Colorado opt-out rights. The regulations also should encourage controllers to use “Privacy Centers” or “Privacy Portals” so controllers can provide holistic privacy information to consumers in a single location rather than multiple locations. Cluttering websites with multiple (and potentially confusing) links provides no benefit to consumers or businesses and, in fact, raises the same issues that the prohibition on dark patterns seeks to regulate – i.e., confusing consumers.
  • Authentication of Requests: The regulations should clarify what constitutes “reasonable means to determine that a request to exercise any of the rights in section 6-1-1306(1) is being made by or on behalf of the consumer who is entitled to exercise the rights.” The Office should implement a flexible approach that allows controllers to authenticate a consumer’s identity based on the circumstances of the request as opposed to prescriptive standards.

Privacy Notices

  • The regulations should clarify what constitutes a “reasonably accessible, clear and meaningful privacy notice.” Consistent with the existing laws, the regulations should state that controllers can provide notices through website footer links using the word “Privacy.” To aid consumers and businesses, the Office also should exercise its discretionary rulemaking authority to specify that controllers may (and are encouraged to) provide CPA disclosures in conjunction with other state and international disclosures. In other words, controllers do not need a separate Colorado privacy notice.

Definition of Biometric Data

  • The CPA requires controllers to obtain consumer consent for the processing of biometric data, but does not define biometric data. The Office should define “biometric data” using the recent definition from the Connecticut Data Privacy Act, which is consistent with GDPR’s definition.

Reasonable Limitations on Access Requests

  • Data Breach Exception: The regulations should prohibit controllers from disclosing personal information subject to Colorado’s data breach notification statute in response to consumer access requests. This prohibition is consistent with the prohibition on disclosing such information found in the CCPA regulations.
  • Protection of Trade Secrets: The regulations should clarify that the CPA does not require controllers to disclose trade secrets in response to access requests.