Colorado

Subscribe to Colorado via RSS
The switchback heading to the Fraser river trail with Winter Park ski resort in the background. Fraser, Colorado. Approx. 9,000 ft altitude. July 2024.

Keypoint: The attorney general’s office modified the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature during the 2024 session.

On December 6, the Colorado attorney general’s office notified the public that it has adopted updated Colorado Privacy Act (CPA) Rules. The office provided a clean version of the new rules as well as a redline of the changes.

The new rules create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature during its 2024 session – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

The adopted rules come after the office published draft rules in September and held a public hearing in November. The office made modifications to the rules based on public feedback received during that process.

The new rules still need to clear two hurdles before they go into effect. According to the attorney general’s office, “[a]s the final step in the rulemaking process, the Department has requested a formal opinion on the adopted rules from the Attorney General. After that formal opinion is issued, the rules will then be filed with the Secretary of State, and they will become effective 30 days after they are published in the state register.”

In the below article, we provide a brief summary of the more notable provisions in the new rules. For ease of analysis, the article discusses the rules based on the three topics they address: (1) biometric privacy, (2) children’s privacy, and (3) opinion letters and interpretive guidance.

Keypoint: The proposed draft amendments modify the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature this year.

On September 13, 2024, the Colorado Attorney General’s office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The office also announced a rulemaking hearing on Thursday, November 7, 2024, and will accept written public comments until that date.

The draft proposed amendments create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature this year – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

In the below post, we provide a short summary of some of the more notable parts of the proposed amendments.

Keypoint: If signed into law, Colorado companies that process children’s data will have new requirements beginning on October 1, 2025.  

Prior to the legislature closing on May 8, Colorado lawmakers passed SB 41, which amends the Colorado Privacy Act (CPA) to add protections for children’s data privacy. If signed into law by Colorado Governor Jared Polis, it will go into effect on October 1, 2025. The bill creates new obligations for entities that offer any online service, product, or feature to minors (under 18). The bill is modeled on Connecticut’s SB 3 signed into law last June.

In the below article, we provide an overview of the obligations under SB 41 and the key differences between SB 41 and Connecticut’s SB 3.

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.

Keypoint: Colorado employers and controllers that collect and process biometric data and identifiers will need to comply with disclosure, consent, and retention requirements beginning on July 1, 2025.

In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.

Keypoint: Colorado policymakers outlined their privacy and AI priorities at a recent Husch Blackwell event.

In early March, Husch Blackwell hosted a discussion panel covering the 2024 legislative priorities of Colorado policymakers related to privacy and artificial intelligence. Attendees heard from Director of Legislative Affairs and Colorado Assistant Attorney General Jefferey Riester, as well as Colorado State Senate Majority Leader Robert Rodriguez. Discussions centered around their legislative priorities related to privacy and artificial intelligence, including the Colorado Privacy Act, SB 41 (children’s privacy), HB 1058 (biological data), and other impending bills on artificial intelligence.

The below article provides a summary of their remarks.

Keypoint: The Colorado Attorney General’s office has received public comments on its short-list of universal opt out mechanism applicants and will need to identify any qualifying mechanism by January 1, 2024.

On December 13, 2023, the Colorado Attorney General’s Office closed the comment period for its short-list of potential universal opt-mechanisms (UOOMs). The Office had previously identified three potential UOOMs and asked for public comment on each. The Office received comments from both individuals and organizations.

In the below chart, we summarize the recommendations from organizations (not individuals) on whether the Colorado Attorney General’s office should approve the three candidates.

The Office must publish a public list of recognized UOOMs (if any) no later than January 1, 2024. Controllers have until July 1, 2024 to recognize any UOOM on that list.

Keypoint: The draft CPA rules retain the hallmarks of what makes the CPA rules unique but contain some notable revisions and clarifications.

On Friday, January 27, 2023, the Colorado Attorney General’s Office published the third draft Colorado Privacy Act (CPA) rules. The Office previously published initial draft rules in October and revised rules in December. The Office published these revised rules shortly before its formal rulemaking hearing scheduled for February 1, 2023. The Office also extended the time for written comments until February 3, 2023.

In the below post we provide a high-level summary of some of the more notable changes to the draft rules in this latest revision. 

Keypoint: The changes are mostly controller-friendly with modifications to the privacy notice, consent, and data protection assessment provisions likely to facilitate compliance; however, the draft rules retain many of the hallmark provisions that make the CPA rules a significant and important addition to the U.S. privacy law landscape.

On December 21, 2022, the Colorado Attorney General’s office published revised draft Colorado Privacy Act (CPA) rules. The Office originally published draft rules in September. The revised draft rules consider public input received by the Office through three stakeholder sessions held in November as well as written comments received through early December.

The Office will hold a public rulemaking hearing on February 1, 2023. Interested parties can submit written comments until February 1, 2023, although the Office recommends that comments be submitted by January 18, 2023, if they are intended to be considered at the hearing.

In the below post we provide a summary of some of the more notable changes to the draft rules. For a discussion of the initial draft rules please see our prior blog post and webinar.

Keypoint: The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.

On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.

The draft rules are long – 38 pages of single-space text (omitting the 20 pages of rulemaking documents that appear at the end). In comparison, the Colorado Privacy Act is 31 pages. The length allows the office to provide clarity (e.g., around consumer requests) but also complexity, in particular around data protection assessments and profiling.

The complexity of the draft rules may come as a surprise to those who have not tracked the Office’s comments about engaging in robust rulemaking. The Office has devoted significant time and effort to drafting the rules, and it is clear that the Office intends to make its mark on U.S. privacy law moving forward.

In the below post, we first provide a list of high-level takeaways. We then provide a brief discussion of the rulemaking process and timeline. Finally, we provide a short summary of some of the more important substantive sections.