The Colorado AG’s office adopted draft amendments to the Colorado Privacy Act rules last month. The adopted draft reflected input from the public to AG’s September 2024 version and addresses three key issues. First, on opinion letters and interpretive guidance from the AG. Second, changes resulting from the passage of a bill related to biometric (HB 24-1130) data. And third, a bill related to children’s (SB 24-041) privacy. (Both of which amend Colorado’s privacy law.)

Opinion Letters and Interpretive Guidance

Colorado’s privacy law allows the Colorado AG to issue opinion letters and interpretive guidance by January 1, 2025. These are tools that can provide insight and clarity to businesses and the general public. A business can request an Opinion Letter containing the AG’s advice on how the CPA would apply to prospective processing activities. If the AG declines to issue an Opinion Letter, they can issue Interpretive Guidance. Both will be published on the Colorado AG website (Opinion Letters in redacted form). Interpretive Guidance is general advice that is not binding. The rule amendments state how to request an Opinion Letter, what information to provide in the request, and the factors the AG can consider when determining whether to respond to a request. The rule amendment also establishes a “good faith reliance defense” for businesses that receive an Opinion Letter (there is no such defense for relying on an Interpretive Guidance). Among other things, the business can legally rely upon the Opinion Letter in the event an enforcement action for the activity presented in the Opinion Letter.

Biometric Data

Effective July 1, 2025, Colorado’s privacy law (as amended by HB 24-1130) will require that businesses adopt a written policy relating to biometrics. Part of the required process will be having a retention schedule, handling data incidents that impact biometrics, and deletion requirements. With certain exceptions, businesses must make this written policy available to the public. The new rule amendments address some of these changes, including:

1. Notice: The creation of a “biometric identifier notice.” Such notice must comply with all privacy notice requirements under CPA. This means the notice must be accessible, and detail in plain language the collection, purpose, length of retention, and any disclosure of biometric identifiers. It must be given at or before the collection of biometric information, and can be a separate document or part of the company’s privacy policy.
2. Consent: Consumers must give consent before their biometric data is sold, leased, traded, disclosed, or otherwise disseminated. Employers will need to get consent from employees and prospective employees before they collect or use biometric information. Employers must also provide notice. While the CPA rules generally require that businesses “refresh” consent every 2 years, but an employer does not need to refresh the employee’s biometric consent – unless the biometric information will be used for new purposes.

Children and Minors

Beginning October 1, 2025, the Colorado privacy law (as amended by SB 24-041), will include new obligations on companies relating to minors (those under 18). These changes were also incorporated into the new rule amendments, and include:

1. Data Protection Impact Assessments: Data protection impact assessments will be required where there is a heightened risk to minors from offering online services or products to minors.
2. Consent: Businesses will need to get consent from minor consumers, or from a minor’s parents if the minor is a child before using a system or design feature that will increase or sustain the use of an online platform. SB 24-041 also amends the CPA to require parental consent before processing a minor’s data for targeted advertising, sale, or used for risky profiling.

Putting it into Practice: These new rules are a reminder that Colorado’s Privacy Act continues to expand and grow. Companies should keep in mind these upcoming obligations for biometric and minor data, going into effect later this year. For some companies, the opportunity to receive an Opinion Letter about proposed activities may be useful, but only after careful consideration of the pros and cons of requesting such a letter (which include disclosure to the AG of planned -but not implemented- activities).