Keypoint: The proposed draft amendments modify the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature this year.
On September 13, 2024, the Colorado Attorney General’s office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The office also announced a rulemaking hearing on Thursday, November 7, 2024, and will accept written public comments until that date.
The draft proposed amendments create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature this year – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.
In the below post, we provide a short summary of some of the more notable parts of the proposed amendments.
For ease of analysis, the below article discusses the amendments based on the three topics they address: (1) biometric privacy, (2) children’s privacy, and (3) opinion letters and interpretive guidance.
Biometric Privacy
HB 1130 amended the CPA to create new obligations for entities that collect biometric data and identifiers. The amendments go into effect on July 1, 2025.
One of the new requirements is that controllers must, before collecting or processing biometric identifiers, inform the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner that (1) a biometric identifier is being collected; (2) the specific purpose for which a biometric identifier is being collected; (3) the length of time that the controller will retain the biometric identifier; and (4) if the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor and the purpose for which the biometric identifier is being shared with a processor.
To operationalize that requirement, the proposed amendments create a new Rule 6.12 (Biometric Identifier Notice). The proposed rule requires that the biometric identifier notice be provided at or before the collection or processing of biometric identifiers. Further, if the notice is provided in a privacy notice, it must be “clearly labeled” so consumers can “easily access the section of the privacy notice containing relevant information.”
The notice also must be “reasonably accessible” and “may be” provided by a separate notice or linked to from the homepage of a website or on a mobile application’s app store page or download page.” If a link is used, it must be “conspicuous and clearly indicate it relates to Biometric Identifiers in the link text.”
The proposed amendments also create a new Rule 7.09 (Employee Consent to Collect and Process Biometric Identifiers). By way of background, HB 1130 generally requires that an employer and its processors obtain an employee’s or prospective employee’s consent to collect and process biometric identifiers. Here, the proposed rule does not appear to create any new substantive requirements that are different from those already stated in the CPA and existing regulations.
The proposed amendments also modify existing Rule 7.02 (Required Consent) to provide that a controller must obtain valid consent prior to “selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating Biometric Identifiers, subject to the exceptions in 6-1-1314(4)(b).”
Finally, the proposed amendments modify existing definitions of “biometric data” and “biometric identifiers” in Rule 2.02 to align them with the definitions used in HB 1130. The proposed rules also add a new definition of “employee” based on the definition contained in HB 1130. That results in the rules now having two definitions of “employee.”
Of note, the proposed amendments do not address the appropriate security standards for biometric identifiers and biometric data. That topic was specifically identified as an area for permissive rulemaking in HB 1130. See C.R.S. § 6-1-1314 (“The Department of Law may promulgate rules for the implementation of this section, including rules promulgated in consultation with the Office of Information Technology and the Department or Regulatory Agencies establishing appropriate security standards for biometric identifiers and biometric data that are more stringent than the requirements in this section.”).
Children’s Privacy
The modifications to address the CPA amendments contained in SB 41 are relatively minor. By way of background, SB 41 creates new obligations for entities that offer any online service, product, or feature to minors (defined as under 18). Those amendments go into effect on October 1, 2025.
The proposed amendments first add definitions of “child” and “minor” by reference to how those terms are defined in the CPA (i.e., under 13 and 18 years of age, respectively).
The proposed amendments also modify Rule 7.02 (Required Consent) to provide that a controller must obtain valid consumer consent prior to (1) processing the personal data of a minor and (2) using any system design feature to significantly increase, sustain or extend a minor’s use of an online service, provide or feature.
Finally, the amendments update Part 8 (Data Protection Assessments) to reference the new data protection assessment requirements in SB 41.
Opinions Letters and Interpretive Guidance
By way of background, CPA § 6-1-1312(3) states: “By January 1, 2025, the attorney general may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of this part 13. The rules must become effective by July 1, 2025.” This section is intended to align with the expiration of the CPA’s right to cure.
The proposed amendments address this by creating a new Part 10 (Interpretive Guidance and Opinion Letters).
With respect to opinion letters, a requestor can submit a request subject to certain requirements. For example, the request “must be prospective in nature, pertaining to an activity that the requestor in good faith specifically plans to undertake.” Requests cannot be used for general questions of interpretation or positing hypothetical situations. Requests are not anonymous when submitted to the office. The Attorney General has discretion to not issue an opinion letter based on criteria set forth in the proposed rules. If an opinion letter is issued, it will be published on the Attorney General’s website. The office will redact identifying information but it still may be possible to identify the requesting party based on the letter’s contents.
Finally, if the office files an enforcement action against the requestor, the requestor may “legally rely upon the Opinion Letter in asserting a good faith reliance defense.” However, that good faith reliance defense only applies to the requestor – not persons or entities that are not subject to the letter – and is predicated on the facts as presented by the requestor being accurate.
With respect to interpretive guidance, the proposed rules provide that any person affected directly or indirectly by the CPA may request interpretive guidance from the Attorney General. The office also has discretion to convert a request to issue an opinion letter into interpretive guidance or to issue interpretive guidance “when the Attorney General believes that such general information will assist an individual, organization, or the general public.”
Interpretive guidance is not binding on the Attorney General, is informational only, and may not serve as a basis for a good faith reliance defense.