Keypoint: The attorney general’s office modified the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature during the 2024 session.

On December 6, the Colorado attorney general’s office notified the public that it has adopted updated Colorado Privacy Act (CPA) Rules. The office provided a clean version of the new rules as well as a redline of the changes.

The new rules create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature during its 2024 session – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

The adopted rules come after the office published draft rules in September and held a public hearing in November. The office made modifications to the rules based on public feedback received during that process.

The new rules still need to clear two hurdles before they go into effect. According to the attorney general’s office, “[a]s the final step in the rulemaking process, the Department has requested a formal opinion on the adopted rules from the Attorney General. After that formal opinion is issued, the rules will then be filed with the Secretary of State, and they will become effective 30 days after they are published in the state register.”

In the below article, we provide a brief summary of the more notable provisions in the new rules. For ease of analysis, the article discusses the rules based on the three topics they address: (1) biometric privacy, (2) children’s privacy, and (3) opinion letters and interpretive guidance.

State lawmakers filed nearly 500 AI-related bills in 2024 with Colorado, California, Illinois, and Utah passing notable laws. With state lawmakers emboldened by federal inactivity, 2025 promises to see even more state action. Regulatory agencies such as the California Privacy Protection Agency are also considering AI-related rulemaking that could have significant impact on businesses.

Join

On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy attorney Shelby Dolen provides a high-level summary of the draft risk assessment regulations. 

This is the fourth on-demand webinar in our four-part series analyzing the draft regulations. You can

On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy partner David Stauss provides a high-level summary of the draft cybersecurity audit regulations. 

This is the third on-demand webinar in our four-part series analyzing the draft regulations. You can

On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy partner David Stauss provides a high-level summary of the proposed changes to the existing CCPA regulations. 

This is the second on-demand webinar in a four-part series analyzing the draft

On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy partner David Stauss provides a high-level summary of the draft regulations on automated decisionmaking technology (ADMT). During the Board meeting, the draft ADMT regulations were a source of many

Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.

On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.

Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.

The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).

Keypoint: Massachusetts’ highest court ruled the use of software that tracks users’ activity on its website does not violate the state’s Wiretap Act, which was intended to prevent the recording or interception of communications between two or more persons.

On October 24, the Massachusetts Supreme Judicial Court held the state’s wiretapping act did not apply to the collection of users’ browsing activities on websites. In Vita v. New England Baptist, Massachusetts’ highest State Court held in a 5-1 decision that although the law did not define “communication,” it nevertheless was limited to communications between individuals and did not extend to cover a user’s browsing on a website. This decision, which is limited to the Massachusetts Wiretap Act, establishes that website operators can use tracking tools like Meta Pixel and Google Analytics to gather users’ browsing data without their consent, highlighting the limitations of the decades-old surveillance laws in addressing modern privacy concerns. Notably, several California courts have reached opposite conclusions under the corresponding California wiretapping laws (commonly known as CIPA Section 631(a)).

In the below article, we provide an overview and analysis of the Massachusetts Supreme Judicial Court ruling and the potential impact on the wave of privacy litigation ongoing in California Courts.

Keypoint: California state courts weigh in on what does, and does not, qualify as a “pen registry” or “tap and trace” device while one California federal court raises whether a wiretapping claim can also allow for a CCPA privacy right of action.

Welcome to the eighteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we examine two decisions from California Federal District Courts that dismissed chat-based wiretapping claims. We also look at four VPPA decisions (three from the same jurisdiction) that all dismissed VPPA claims under Rule 12(b)(6), showing courts’ growing lack of patience for plaintiffs’ attorneys who fail to plead such claims with specificity and under the standards established by past VPPA decisions.

Byte Back + members also get access to coverage of four pen registry decisions, one (substantial) pixel decision, an email tracking decision, plus and our coverage of oral argument in the Ninth Circuit’s Briskin v Shopify decision. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.