Colorado AG Proposes Draft Amendments to the Colorado Privacy Act Rules

On September 13, 2024, the Colorado Attorney General’s (AG) Office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The proposals include new requirements related to biometric collection and use (applicable to all companies and employers that collect biometrics of Colorado residents) and children’s privacy. They also introduce methods by which businesses could seek regulatory guidance from the Colorado AG.

The draft amendments seek to align the CPA with Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, both of which were enacted earlier this year and will largely come into effect in 2025. Comments on the proposed regulations can be submitted beginning on September 25, 2024, in advance of a November 7, 2024, rulemaking hearing.

In Depth

PRIVACY OF BIOMETRIC IDENTIFIERS & DATA

In comparison to other state laws like the Illinois Biometric Information Privacy Act (BIPA), the CPA proposed draft amendments do not include a private right of action. That said, the proposed draft amendments include several significant revisions to the processing of biometric identifiers and data, including:

  • Create New Notice Obligations: The draft amendments require any business (including those not otherwise subject to the CPA) that collects biometrics from consumers or employees to provide a “Biometric Identifier Notice” before collecting or processing biometric information. The notice must include which biometric identifier is being collected, the reason for collecting the biometric identifier, the length of time the controller will retain the biometric identifier, and whether the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor alongside the purpose of such disclosure. This notice must be reasonably accessible, either in a standalone disclosure or, if embedded within the controller’s privacy notice, a clear link to the specific section within the privacy notice that contains the Biometric Identifier Notice. This requirement applies to all businesses that collect biometrics, including employers, even if a business does not otherwise trigger the applicability thresholds of the CPA.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent from the data subject before selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric information. The amendments also allow employers to collect and process biometric identifiers as a condition for employment in limited circumstances (much more limited than Illinois’s BIPA, for example).

PRIVACY PROTECTIONS FOR CHILDREN’S ONLINE DATA

The draft amendments also include several updates to existing CPA requirements related to minors:

  • Delineate Between Consumers Based on Age: The draft amendments define a “child” as an individual under 13 years of age and a “minor” as an individual under 18 years of age, creating additional protections for teenagers.
  • Update Data Protection Assessment Requirements: The draft amendments expand the scope of data protection assessments to include processing activities that pose a heightened risk of harm to minors. Under the draft amendments, entities performing assessments must disclose whether personal data from minors is processed as well as identify any potential sources and types of heightened risk to minors that would be a reasonably foreseeable result of offering online services, products, or features to minors.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent before processing the personal data of a minor and before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature.

OPINION LETTERS AND INTERPRETIVE GUIDANCE

In a welcome effort to create a process by which businesses and the public can understand more about the scope and applicability of the CPA, the draft amendments:

  • Create a Formal Feedback Process: The draft amendments would permit individuals or entities to request an opinion letter from the Colorado AG regarding aspects of the CPA and its application. Entities that have received and relied on applicable guidance offered via an opinion letter may use that guidance as a good faith defense against later claims of having violated the CPA.
  • Clarify the Role of Non-Binding Advice: Separate and in addition to the formal opinion letter process, the draft amendments provide a process by which any person affected directly or indirectly by the CPA may request interpretive guidance from the AG. Unlike the guidance in an opinion letter, interpretive guidance would not be binding on the Colorado AG and would not serve as a basis for a good faith defense. Nonetheless, a process for obtaining interpretive guidance is a novel, and welcome, addition to the state law fabric.

WHAT’S NEXT?

While subject to change pursuant to public consultation, assuming the proposed CPA amendments are finalized, they would become effective on July 1, 2025. Businesses interested in shaping and commenting on the draft amendments should consider promptly submitting comments to the Colorado AG.

© 2024 McDermott Will & Emery by: Amy C. Pimentel, David P. Saunders, Elliot R. Golding of McDermott Will & Emery For more news on Colorado Privacy Law, visit the NLR Communications Media Internet and Consumer Protection sections.

  • Related Posts

    You See Health, Whistleblower Saw Fraud: Uncovering a $23 Million Healthcare Fraud Scheme

    A whistleblower’s vigilance has led to the revelation of alleged Medicare and TRICARE fraud involving UCHealth, a healthcare system with locations throughout the state of Colorado. University of Colorado Health…

    Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act

    The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Fed Announces Details and Focus of Upcoming Framework Review

    • By admin
    • November 23, 2024
    • 2 views
    Fed Announces Details and Focus of Upcoming Framework Review

    Saudi Arabia Gets First Moody’s Upgrade On Economic Advance

    • By admin
    • November 23, 2024
    • 2 views
    Saudi Arabia Gets First Moody’s Upgrade On Economic Advance

    Fed announces policy framework review, plans for May 15-16 conference

    • By admin
    • November 23, 2024
    • 5 views
    Fed announces policy framework review, plans for May 15-16 conference

    Fed’s Bowman Says Regulators Shouldn’t Rush to Contain AI

    • By admin
    • November 23, 2024
    • 5 views
    Fed’s Bowman Says Regulators Shouldn’t Rush to Contain AI

    The Pros and Cons of TikTok’s Viral ‘Winter Arc’ Challenge: What to Know

    • By admin
    • November 23, 2024
    • 3 views
    The Pros and Cons of TikTok’s Viral ‘Winter Arc’ Challenge: What to Know

    Fed survey finds inflation fading as a risk next to debt, trade wars

    • By admin
    • November 23, 2024
    • 5 views
    Fed survey finds inflation fading as a risk next to debt, trade wars