Colorado AG Proposes Draft Amendments to the Colorado Privacy Act Rules
Monday, September 23, 2024
Colorado Privacy Act Rules
Print Mail Download info_icon_img/>i

On September 13, 2024, the Colorado Attorney General’s (AG) Office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The proposals include new requirements related to biometric collection and use (applicable to all companies and employers that collect biometrics of Colorado residents) and children’s privacy. They also introduce methods by which businesses could seek regulatory guidance from the Colorado AG.

The draft amendments seek to align the CPA with Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, both of which were enacted earlier this year and will largely come into effect in 2025. Comments on the proposed regulations can be submitted beginning on September 25, 2024, in advance of a November 7, 2024, rulemaking hearing.

In Depth

PRIVACY OF BIOMETRIC IDENTIFIERS & DATA

In comparison to other state laws like the Illinois Biometric Information Privacy Act (BIPA), the CPA proposed draft amendments do not include a private right of action. That said, the proposed draft amendments include several significant revisions to the processing of biometric identifiers and data, including:

  • Create New Notice Obligations: The draft amendments require any business (including those not otherwise subject to the CPA) that collects biometrics from consumers or employees to provide a “Biometric Identifier Notice” before collecting or processing biometric information. The notice must include which biometric identifier is being collected, the reason for collecting the biometric identifier, the length of time the controller will retain the biometric identifier, and whether the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor alongside the purpose of such disclosure. This notice must be reasonably accessible, either in a standalone disclosure or, if embedded within the controller’s privacy notice, a clear link to the specific section within the privacy notice that contains the Biometric Identifier Notice. This requirement applies to all businesses that collect biometrics, including employers, even if a business does not otherwise trigger the applicability thresholds of the CPA.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent from the data subject before selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric information. The amendments also allow employers to collect and process biometric identifiers as a condition for employment in limited circumstances (much more limited than Illinois’s BIPA, for example).

PRIVACY PROTECTIONS FOR CHILDREN’S ONLINE DATA

The draft amendments also include several updates to existing CPA requirements related to minors:

  • Delineate Between Consumers Based on Age: The draft amendments define a “child” as an individual under 13 years of age and a “minor” as an individual under 18 years of age, creating additional protections for teenagers.
  • Update Data Protection Assessment Requirements: The draft amendments expand the scope of data protection assessments to include processing activities that pose a heightened risk of harm to minors. Under the draft amendments, entities performing assessments must disclose whether personal data from minors is processed as well as identify any potential sources and types of heightened risk to minors that would be a reasonably foreseeable result of offering online services, products, or features to minors.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent before processing the personal data of a minor and before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature.

OPINION LETTERS AND INTERPRETIVE GUIDANCE

In a welcome effort to create a process by which businesses and the public can understand more about the scope and applicability of the CPA, the draft amendments:

  • Create a Formal Feedback Process: The draft amendments would permit individuals or entities to request an opinion letter from the Colorado AG regarding aspects of the CPA and its application. Entities that have received and relied on applicable guidance offered via an opinion letter may use that guidance as a good faith defense against later claims of having violated the CPA.
  • Clarify the Role of Non-Binding Advice: Separate and in addition to the formal opinion letter process, the draft amendments provide a process by which any person affected directly or indirectly by the CPA may request interpretive guidance from the AG. Unlike the guidance in an opinion letter, interpretive guidance would not be binding on the Colorado AG and would not serve as a basis for a good faith defense. Nonetheless, a process for obtaining interpretive guidance is a novel, and welcome, addition to the state law fabric.

WHAT’S NEXT?

While subject to change pursuant to public consultation, assuming the proposed CPA amendments are finalized, they would become effective on July 1, 2025. Businesses interested in shaping and commenting on the draft amendments should consider promptly submitting comments to the Colorado AG.

© 2024 McDermott Will & Emery

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF SOLICITATION FOR BIDS OF THE ASSETS: Fulcrum Sierra BioFuels, LLC and Fulcrum BioEnergy, Inc.
Published: 19 September, 2024
PUBLIC NOTICE OF COURT ORDERED BUSINESS SALE: Body Details
Published: 16 September, 2024
PUBLIC NOTICE OF ARTICLE 9 UCC SALE: Presto Automation LLC
Published: 24 September, 2024
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Ricebran Technologies
Published: 24 September, 2024
PUBLIC NOTICE OF ARTICLE 9 UCC SALE: TrueNorth Projects, LLC
Published: 23 September, 2024
PUBLIC NOTICE OF UCC SALE: Prime Finance Short Duration Holding Company VII, LLC
Published: 18 September, 2024
NOTIFICATION OF CONTINUED ARTICLE 9 DISPOSITION OF NEWPORT EXCHANGE HOLDINGS, ETC
Published: 17 September, 2024
PUBLIC NOTICE OF ASSIGNEE SALE: Confidential Company operates 24 branded family restaurants
Published: 10 September, 2024
PUBLIC NOTICE OF UCC SALE: PSW Webbervile, LLC
Published: 9 July, 2024
PUBLIC NOTICE OF UCC SALE: NB SIERRA BLOOM, LLC
Published: 3 July, 2024
Discover more public notices

Current Legal Analysis

California Sues ExxonMobil, Claiming It Deceives the Public on Recyclability of Plastic Products
by: Lynn L. Bergeson , Carla N. Hutton
Contract Manufacturing Versus an Alternating Proprietorship: What Is the Difference?
by: Alva C. Mather , Christine Dower
BIS Proposes Prohibitions on Connected Vehicles with Links to China and Russia: Nine Observations for Companies to Consider
by: Anthony Rapa , Brendan S. Saslow
Long-Awaited Changes to Research Misconduct Rules Have Arrived
by: Rebecca M. Schaefer , Michael H. Phillips
Former Acadia Employees Received Reward for Blowing the Whistle on Healthcare Fraud
by: Tycko & Zavareei Whistleblower Practice Group
Episode 92: The Future of “Fragile” Immigration Statuses [Podcast]
by: BAL U.S. Practice Group
SBA Proposes Key Changes Impacting Small Business Government Contractors and Mentor-Protégé Joint Ventures
by: Shomari B. Wade , Jeffery M. Chiow
AI, Whistleblowers, and Data Analytics - Updated DOJ Compliance Guidance
by: Michael Culhane Harper , Christopher L. Nasson
SEC Continues Enforcement Program Targeting Late Beneficial Ownership Reports
by: Frank Zarb , Louis Rambo
FDA Updates Mycotoxins in Domestic and Imported Human Foods Compliance Program
by: Food and Drug Law at Keller and Heckman

More from McDermott Will & Emery

Contract Manufacturing Versus an Alternating Proprietorship: What Is the Difference?
by: Alva C. Mather , Christine Dower
Dolly Pardon: American Girl Can Sue Foreign Counterfeiter for Internet Sales
by: Karen Gover
When Can Same Claim Limitation Have Different Meanings? When It’s Functional, Of Course
by: Sydney E. McDermott
BIOSECURE Act: US to Target Chinese Biotechnology Companies
by: Sabine Naugès , Sarah L. Engle
This Week in 340B: September 17 – 23, 2024
by: Emily J. Cook , Margaret Houtz
Healthcare Preview for the Week of: September 23, 2024 [Podcast]
by: Debra Curtis , Rodney Whitlock, Ph.D
SDNY Announces Whistleblower Pilot Program to Spur Voluntary Self-Disclosure of Criminal Misconduct
by: Edward B. Diskant , Bradley A. Cohen
DOJ Formalizes Guidelines, Incentives for Corporate Self-Disclosure Through New Policy Directive for US Attorneys’ Offices
by: Edward B. Diskant
US Attorney’s Office in California Announces Voluntary Self-Disclosure and Whistleblower Program for Corporate, Financial Crimes
by: Julian L. André , Gordon A. Greenberg

Upcoming Legal Education Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins