Keypoint: The attorney general’s office modified the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature during the 2024 session.
On December 6, the Colorado attorney general’s office notified the public that it has adopted updated Colorado Privacy Act (CPA) Rules. The office provided a clean version of the new rules as well as a redline of the changes.
The new rules create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature during its 2024 session – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.
The adopted rules come after the office published draft rules in September and held a public hearing in November. The office made modifications to the rules based on public feedback received during that process.
The new rules still need to clear two hurdles before they go into effect. According to the attorney general’s office, “[a]s the final step in the rulemaking process, the Department has requested a formal opinion on the adopted rules from the Attorney General. After that formal opinion is issued, the rules will then be filed with the Secretary of State, and they will become effective 30 days after they are published in the state register.”
In the below article, we provide a brief summary of the more notable provisions in the new rules. For ease of analysis, the article discusses the rules based on the three topics they address: (1) biometric privacy, (2) children’s privacy, and (3) opinion letters and interpretive guidance.
Biometric Privacy
Passed in 2024 and effective July 1, 2025, HB 1130 amends the CPA to create new obligations for entities that collect biometric data and identifiers. We provided an extensive overview of those requirements here.
Biometric Identifier Notice
One of the new requirements is that controllers must, before collecting or processing biometric identifiers, inform consumers or the consumers’ legally authorized representative in a clear, reasonably accessible, and understandable manner that (1) a biometric identifier is being collected; (2) the specific purpose for which a biometric identifier is being collected; (3) the length of time that the controller will retain the biometric identifier; and (4) if the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor and the purpose for which the biometric identifier is being shared with a processor.
To operationalize that requirement, the office created a new Rule 6.12 (Biometric Identifier Notice). Rule 6.12 provides that controllers must provide the biometric identifier notice “at or before the initial collection or Processing of any Biometric Identifiers or before a material change to the Processing purpose of a Biometric Identifier.” The notice “may be . . . [a] separate notice, or included within a general privacy notice” so long as it is clearly labeled such that consumers can easily access the “section of the privacy notice containing relevant information.” The notice also must be made “available in its entirety prior to the collection or Processing of Biometric Identifiers, or linked from a website’s homepage, and if applicable, a mobile app store page or download page.” Controllers that do not operate a website must make the notice available “through a medium regularly used by the Controller to interact with Consumers.”
Employee Consent
One aspect of HB 1130 that will require careful analysis by controllers is that, depending on the situation, employers may need to obtain consent from employees or prospective employees to collect and process biometric identifiers. This is the first time the CPA has provided rights to employees.
To address this requirement, the office created a new Rule 7.09 (Employee Consent to Collect and Process Biometric Identifiers) although that rule does not contain any new substantive requirements. Rather, the new rule ties the collection of consent to existing provisions in the statute and rules.
The office also added a new provision to existing Rule 7.08 (Refreshing Consent). In general, that rule requires controllers to “refresh” a consumer’s consent to process their sensitive data if the controller has not interacted with the consumer in the prior 24 months. However, the rule now provides that a controller that is required to obtain employee consent does not need to refresh the consent unless the employer is processing additional categories of an employee’s biometric identifier for which the employee has not yet provided consent or if the employer is processing an employee’s biometric identifier for a secondary use.
Other Changes
Finally, the office amended Rule 7.02 to provide that controllers must obtain valid consumer consent prior to “[s]elling, leasing, trading, disclosing, redisclosing, or otherwise disseminating Biometric Identifiers, subject to the exceptions” in the CPA. That is not a new substantive provision but rather reflects the requirements in HB 1130. The new rules also revise the existing definitions of “biometric data” and “biometric identifiers” and add new definitions for “biometric identifier notice” and “employee.”
Children’s Privacy
Effective October 1, 2025, SB 41 creates new obligations for entities that offer any online service, product, or feature to minors (defined as under 18). The modifications to the CPA Rules to address SB 41 are relatively minor.
The rules first add definitions of “child” and “minor” by reference to how those terms are defined in the CPA (i.e., under 13 and 18 years of age, respectively).
The rules also modify Rule 7.02 (Required Consent) to provide that a controller must obtain valid consumer consent prior to (1) processing the personal data of a consumer whom the controller actually knows or willfully disregards is a minor and (2) using any system design feature to significantly increase, sustain or extend the use of an online service, product or feature by a consumer whom the controller actually knows or willfully disregards is a minor.
Finally, the rules update Part 8 (Data Protection Assessments) to reference the new data protection assessment requirements in SB 41.
Opinions Letters and Interpretive Guidance
The text of the rules dealing with opinion letters and interpretive guidance is largely the same as it was in the initial draft. See here for our prior analysis. The final rules make three changes.
First, an opinion letter can now provide the basis for a good faith reliance defense for persons or entities that were not the subject of the opinion letter if the Attorney General in its sole determination deems it appropriate. Previously, the good faith reliance defense arising out of the opinion letter process was limited to the subject person or entity.
Second, the rules clarify that if a data protection assessment is submitted with a request to issue an opinion letter, it does not lose its confidential status or constitute a waiver or privilege or work product status.
Finally, opinion letters will still be published on the Attorney General’s website; however, the letters will redact and protect information as required by the Colorado Open Records Act. The rule previously stated that letters may contain information sufficient to ascertain the identity of the requesting party.