/>iJust over one year after the Colorado Privacy Act Rules took effect, the Colorado Attorney General’s Office filed a set of proposed draft amendments that, if implemented, would significantly modify the Rules to reflect recent changes to the CPA. Earlier this year, Governor Jared Polis signed House Bill 1130 and Senate Bill 041 into law and, in doing so, amended the CPA to add heightened requirements for the collection and use of biometric information and information about minors. As currently drafted, the proposed amendments would augment these statutory revisions.
Quick Hits
- The Colorado Attorney General’s Office recently proposed draft amendments to the Colorado Privacy Act (CPA) Rules.
- The draft amendments are largely focused on consumer data and implement recent changes to the CPA that reflect increased regulation of entities that collect and use biometric information and personal information relating to children under the age of eighteen.
- The amendments also include a new process for entities and individuals to request, and the Colorado AG to provide, interpretive guidance and opinion letters regarding the intended effect of the CPA.
- A rulemaking hearing on the proposed draft Rules is scheduled for November 7, 2024. The public has until then to comment on the proposed amended Rules.
Additionally, as the sunset date for the CPA’s right to cure approaches on January 1, 2025, the draft amendments include language that articulates the design for and implements an advisory process within the AG’s office whereby the office will issue opinion letters and interpretative guidance relating to the CPA. If approved, the amendments will go into effect on July 1, 2025.
Adding Protections for Biometric Data
House Bill 1130 amended the CPA to create new obligations for entities that collect biometric data and identifiers. Subject to some exceptions specific to employee data used for activities like access control and timekeeping, the amendments to the CPA require controllers to provide a notice to consumers explaining what biometric data is being collected, the reason it is being collected, how long the controller will keep the biometric data, and whether their biometric data will be disclosed, redisclosed, or otherwise distributed to another party and why.
Additionally, HB 1130 requires a controller or processor of biometric data to adopt a written policy that:
- establishes a retention schedule for biometric identifiers and data;
- includes a protocol for responding to a data security incident that may compromise the security of biometric identifiers or data; and
- includes guidelines that require the deletion of a biometric identifier on or before certain dates.
Except with respect to certain employee-focused policies or internal data breach protocols, this policy must be made public, so companies may want to be careful and accurate when drafting .
The draft amendments build on these requirements by proposing a Rule that further describes the requirements of the biometric identifier notice now required by the CPA. If adopted, the Rule would require controllers to provide the notice at or before the collection or processing of any biometric identifiers. The proposed Rule states that the notice “must be clear,” “[c]oncrete and definitive,” and avoid any ambiguous language. If the notice is included within a nonbiometric specific privacy notice, it would need to be “clearly labeled” (likely using embedded hyperlinks) so that consumers can find the relevant information quickly. If the proposed Rule is accepted, controllers that operate online platforms would need to meet additional requirements, including that the notice be conspicuously linked from the site’s homepage or app store page. Those without a web presence but that nevertheless collect, or process biometric identifiers would need to provide notice through their regular interaction channels, for example, through a hard-copy version of their privacy notice.
Protecting Minors’ Data
Like HB 1130, SB 041 amended the CPA to add expanded protections for personal information about minors (now defined as any consumer under the age of eighteen). Controllers offering online services, products, or features to minors are now subject to an expanded duty of care that necessitates they “use reasonable care to avoid any heightened risk of harm to minors.” Controllers must also conduct data protection assessments for online services, products, or features that present a heightened risk of harm to minors, while also maintaining documentation for a specified period.
Importantly, the AG may request (and the controller must provide) a copy of the data protection assessment. SB 041 also imposes heightened consent requirements, including that controllers must obtain consent from minors or, in the case of a child (i.e., an individual under the age of thirteen), the child’s parent or guardian, before engaging in certain enumerated data processing activities.
The draft amendments complement these requirements by describing the specific requirements of the data protection impact assessment that controllers would be required to undertake in connection with the processing of minors’ data and by proposing to require controllers to obtain valid consumer consent before processing the minor’s personal data or using any “system design feature to increase, sustain, or extend a [m]inor’s use of an online service, product, or feature.”
As One Avenue for Guidance Disappears, a New Avenue Becomes Available
Privacy practitioners and entities required to comply with the CPA will likely be familiar with the statute’s right to cure, which gives entities in violation of the act sixty days to cure their alleged violations. The right to cure, however, was intended to operate as a stop-gap measure to help controllers ease into compliance with the heightened burdens of the CPA. As such, the right to cure sunsets on January 1, 2025, a year and a half after the CPA took effect. Nevertheless, perhaps in recognition of the fact that there will always be questions about the application of the law, the Colorado Attorney General’s Office is taking steps to develop a process to provide further guidance through opinion letters and interpretive guidance.
The draft amendments create a detailed process by which entities covered by the CPA may request guidance in the form of an opinion letter on specific prospective actions they plan to take. Any opinion letter issued in response to such a request may be relied upon by that entity should the Colorado AG file an enforcement action on that issue. Similarly, the draft amendments create a discretionary process through which the Colorado AG may issue statements providing interpretive guidance about the CPA to covered individuals and the general public. This may come about because of specific or general requests or simply because the AG’s office believes such guidance will be helpful. Because no entity is permitted to rely on an opinion letter issued in response to the question of another entity, or on any interpretive guidance issued by the Colorado AG, if the Rules are amended as currently proposed, the resulting guidance will be informative but will not serve to meaningfully protect any entity from enforcement activity.
Next Steps
The Colorado Attorney General’s Office is accepting public comments on the proposed amendments until November 7, 2024. After the close of the comment period, and following a public hearing, companies should stay tuned for final Rules. In the meantime, employers may wish to remain mindful of the expiring right to cure and assess their confidence in their compliance position or evaluate whether to pursue the potential new opportunities for regulatory guidance. Once final Rules are announced, companies may need to evaluate their handling of biometric data (including from employees) and minors’ data and take steps to ensure the approach utilized is CPA compliant.
