Attorney General’s Office files finalized Colorado Privacy Act rules
March 15, 2023 (DENVER) – The Colorado Attorney General’s Office filed the finalized Colorado Privacy Act (CPA) Rules with the Colorado Secretary of State’s Office this week, following completion of a review confirming the rules are legal and constitutional.
The rules will be published in the Colorado Register later this month, and they will go into effect July 1, 2023, making Colorado the third state to enact a general state privacy law and the second to draft related rules.
The CPA grants Coloradans rights over their own personal data. The law allows Coloradans to access the data businesses, nonprofits, and other entities collect about them and to have them delete or correct that data. It also provides Coloradans with additional control over the way that their personal data is used, allowing them to opt out of the sale of their personal data and use of their personal data for targeted advertising and profiling. The law requires companies to tell Coloradans how they use personal data and to take precautions that will reduce the risk of data collection harming consumers. Finally, the law grants the attorney general the authority to hold entities accountable for failing to comply with these obligations and draft rules to provide clarity and guidance for compliance.
The Department of Law hosted five virtual and in-person public input sessions and a rulemaking hearing, inviting members of the public to offer their comments and feedback on the rulemaking and draft rules. The department also released three versions of draft rules implementing feedback and received 137 written comments about the drafts through an online portal, all of which are available for review on the department’s website.
“I am grateful for the dedication and engagement from the public throughout this rulemaking process,” said Attorney General Phil Weiser. “Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information.”
Highlights from the rules include:
- Application: According to SB21-190, the CPA applies to entities that conduct business in, or target products or services to Colorado, and control or process personal data of at least 100,000 consumers per calendar year; or sell personal data and control or process the personal data of at least 25,000 consumers. It does not apply to certain entities or data regulated by other privacy laws, nor to personal data maintained for certain governmental purposes. A complete list of exemptions is in §6-1-1304 of the CPA.
- Profiling (Part 9): Colorado is the first state in the country to enact regulations governing automated decision making (i.e., profiling) in the context of a general state privacy law.
- Data protection assessments (Part 8): Under the CPA, a company must conduct and document a data protection assessment before conducting a processing activity that presents a heightened risk of harm to a consumer. The rules clarify the scope and requirements of data protection assessments conducted pursuant to the CPA. Colorado is also the first state in the nation to provide regulations governing data protection assessments conducted under a general state privacy law.
- Universal opt-out mechanism (Part 5): Rather than requiring consumers to opt out of data collection on a case-by-case basis, the CPA gives consumers the ability to use a universal opt-out mechanism to communicate their opt-out choice to multiple businesses using one method. The rules provide a basic technical specification and create standards governing the way that the opt-out mechanism requirements must be implemented.
- Transparency (Rule 6.03): The draft rules ensure privacy notices provided pursuant to the CPA are “meaningful” as contemplated in the statute. The rules require that required information be linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that data to a business for a specific purpose.
For more information, or to view previous drafts of the rules, go to coag.gov/cpa.
###