Skip to Content

Colorado AG Finalizes Colorado Privacy Act Draft Rules


The Colorado Attorney General’s Office recently released finalized rules to implement the Colorado Privacy Act (CPA). Both the rules and the CPA become effective on July 1, 2023. The CPA joins the California Privacy Rights Act and Virginia Consumer Data Protection Act as comprehensive state privacy laws.

Updates to defined terms. The definition of “biometric identifiers” was amended to include “behavioral characteristics” when they are “Processed for the purpose of uniquely identifying an individual.” Additionally, inferences made exclusively from “multiple sources of publicly available information” were removed from the definition of “publicly available information.”

Personal data rights clarifications. With respect to access requests, controllers are now required to provide to consumers specific pieces of personal data which includes “final profiling decisions, inferences, derivative data” and other personal data created by the controller which is “linked or reasonably linkable” to an individual.

The right to correction no longer applies to controller archived or backup systems. If a controller denies a correction request based on its determination that the information is correct due to the totality of the circumstances, the controller must document and explain its decision to the consumer.

The original draft rules required the opt-out method to be provided either directly or through a link in the privacy notice. The revised rules now make it clear that the opt-out method must be clearly and conspicuously available outside of the privacy notice. 

Expanded privacy notice disclosures. This draft of the rules defines the “substantive or material” changes in data practices that require a communicated update to consumers. Such changes include changes to: categories of personal data processed, processing purposes, a controller’s identity, the sharing of personal data with third parties, the identity of affiliates, processors, or third parties personal data is shared with, or methods by which consumers can exercise their data rights.

Updated data protection assessment requirements. Data protection assessments must be conducted in a wide variety of circumstances, including data sales and (likely) including certain analytics and profiling. The substance of what controllers must consider in their data protection assessments has been narrowed from 18 issues in the initial draft to 13 issues in the revised draft. However, some of the new categories are themselves expansive. For example, when a DPIA must be conducted, it must include “the core purposes of the Processing activity, as well as other benefits of the Processing that may flow to the Controller, Consumer, and other expected stakeholders.”

Security measures. New details about the level of security measures required for controllers to safeguard personal data are included in this draft. When implementing administrative, technical, and physical safeguards, controllers will be required to consider a host of factors, including the sensitivity and amount of personal data, the source from which the data originated, and the risk of harm resulting from potential unauthorized or unlawful access or use of the personal data. The draft rules require procedural measures and safeguards, such as a requirement to identify and protect against anticipated threats to security.

If you have any questions about the Colorado Privacy Act or the draft rules, please contact Jordan Ockleberry, the author or Michael Young, Practice Chair.