Keypoint: If signed into law, Colorado companies that process children’s data will have new requirements beginning on October 1, 2025.  

Prior to the legislature closing on May 8, Colorado lawmakers passed SB 41, which amends the Colorado Privacy Act (CPA) to add protections for children’s data privacy. If signed into law by Colorado Governor Jared Polis, it will go into effect on October 1, 2025. The bill creates new obligations for entities that offer any online service, product, or feature to minors (under 18). The bill is modeled on Connecticut’s SB 3 signed into law last June.

In the below article, we provide an overview of the obligations under SB 41 and the key differences between SB 41 and Connecticut’s SB 3.Continue Reading Colorado Legislature Passes Children’s Data Privacy Bill

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.Continue Reading Colorado Legislature Passes First-in-Nation Artificial Intelligence Bill

Keypoint: Colorado employers and controllers that collect and process biometric data and identifiers will need to comply with disclosure, consent, and retention requirements beginning on July 1, 2025.

In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.Continue Reading Colorado Legislature Passes Biometric Privacy Bill

Keypoint: Colorado policymakers outlined their privacy and AI priorities at a recent Husch Blackwell event.

In early March, Husch Blackwell hosted a discussion panel covering the 2024 legislative priorities of Colorado policymakers related to privacy and artificial intelligence. Attendees heard from Director of Legislative Affairs and Colorado Assistant Attorney General Jefferey Riester, as well as Colorado State Senate Majority Leader Robert Rodriguez. Discussions centered around their legislative priorities related to privacy and artificial intelligence, including the Colorado Privacy Act, SB 41 (children’s privacy), HB 1058 (biological data), and other impending bills on artificial intelligence.

The below article provides a summary of their remarks.Continue Reading Summary of Husch Blackwell Hosted Colorado Policymaker Panel on Privacy and AI Legislation

Keypoint: The Colorado Attorney General’s office has received public comments on its short-list of universal opt out mechanism applicants and will need to identify any qualifying mechanism by January 1, 2024.

On December 13, 2023, the Colorado Attorney General’s Office closed the comment period for its short-list of potential universal opt-mechanisms (UOOMs). The Office had previously identified three potential UOOMs and asked for public comment on each. The Office received comments from both individuals and organizations.

In the below chart, we summarize the recommendations from organizations (not individuals) on whether the Colorado Attorney General’s office should approve the three candidates.

The Office must publish a public list of recognized UOOMs (if any) no later than January 1, 2024. Controllers have until July 1, 2024 to recognize any UOOM on that list.Continue Reading Comment Period Closes for Potential Colorado Privacy Act Universal Opt-Out Mechanisms

Keypoint: The draft CPA rules retain the hallmarks of what makes the CPA rules unique but contain some notable revisions and clarifications.

On Friday, January 27, 2023, the Colorado Attorney General’s Office published the third draft Colorado Privacy Act (CPA) rules. The Office previously published initial draft rules in October and revised rules in December. The Office published these revised rules shortly before its formal rulemaking hearing scheduled for February 1, 2023. The Office also extended the time for written comments until February 3, 2023.

In the below post we provide a high-level summary of some of the more notable changes to the draft rules in this latest revision. Continue Reading Third Version of Colorado Privacy Act Draft Rules Published

Keypoint: The changes are mostly controller-friendly with modifications to the privacy notice, consent, and data protection assessment provisions likely to facilitate compliance; however, the draft rules retain many of the hallmark provisions that make the CPA rules a significant and important addition to the U.S. privacy law landscape.

On December 21, 2022, the Colorado Attorney General’s office published revised draft Colorado Privacy Act (CPA) rules. The Office originally published draft rules in September. The revised draft rules consider public input received by the Office through three stakeholder sessions held in November as well as written comments received through early December.

The Office will hold a public rulemaking hearing on February 1, 2023. Interested parties can submit written comments until February 1, 2023, although the Office recommends that comments be submitted by January 18, 2023, if they are intended to be considered at the hearing.

In the below post we provide a summary of some of the more notable changes to the draft rules. For a discussion of the initial draft rules please see our prior blog post and webinar.Continue Reading Revised Colorado Privacy Act Draft Rules Published

Keypoint: The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.

On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.

The draft rules are long – 38 pages of single-space text (omitting the 20 pages of rulemaking documents that appear at the end). In comparison, the Colorado Privacy Act is 31 pages. The length allows the office to provide clarity (e.g., around consumer requests) but also complexity, in particular around data protection assessments and profiling.

The complexity of the draft rules may come as a surprise to those who have not tracked the Office’s comments about engaging in robust rulemaking. The Office has devoted significant time and effort to drafting the rules, and it is clear that the Office intends to make its mark on U.S. privacy law moving forward.

In the below post, we first provide a list of high-level takeaways. We then provide a brief discussion of the rulemaking process and timeline. Finally, we provide a short summary of some of the more important substantive sections.Continue Reading Colorado Privacy Act Draft Rules Published

Keypoint: The comments focus on identifying areas in which the Attorney General’s Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the Colorado Privacy Act with state and international privacy laws.

The Colorado Attorney General’s Office is currently accepting pre-rulemaking input on the Colorado Privacy Act (CPA). It also will host public listening sessions on June 22  and June 28 for those interested in providing oral comments.

Given the importance of these forthcoming regulations to the development of U.S. privacy law, members of Husch Blackwell’s data privacy practice submitted extensive comments to the Office. The purpose of the comments is to identify areas in which the Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the CPA with other state privacy laws enacted in California, Connecticut, Utah, and Virginia and international privacy laws such as GDPR.Continue Reading Husch Blackwell Submits Comments on Colorado Privacy Act Pre-Rulemaking

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.Continue Reading How do the CPRA, VCDPA & CPA treat consumer requests?