Keypoint: The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.
On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.
The draft rules are long – 38 pages of single-space text (omitting the 20 pages of rulemaking documents that appear at the end). In comparison, the Colorado Privacy Act is 31 pages. The length allows the office to provide clarity (e.g., around consumer requests) but also complexity, in particular around data protection assessments and profiling.
The complexity of the draft rules may come as a surprise to those who have not tracked the Office’s comments about engaging in robust rulemaking. The Office has devoted significant time and effort to drafting the rules, and it is clear that the Office intends to make its mark on U.S. privacy law moving forward.
In the below post, we first provide a list of high-level takeaways. We then provide a brief discussion of the rulemaking process and timeline. Finally, we provide a short summary of some of the more important substantive sections.