Unpacking Proposed Amendments to Colorado's Privacy Act Rules

November 20, 2024

Approximately one year after the Colorado Privacy Act (CPA) Rules went into effect, the Colorado Attorney General proposed draft amendments to reflect recent changes to the CPA. Recall that the CPA applies to "controllers" that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either:

Recall also that House Bill 1130 and Senate Bill 041 were signed into law earlier this year, thereby amending the CPA and adding heightened requirements for the collection of biometric information and information about minors. The draft amendments also govern the process of issuing Opinion Letters and Interpretive Guidance for those subject to the law, which we unpack in the following alert.

Biometric Data Requirements

House Bill 1130 requires that businesses subject to the CPA that collect biometric or biological data from customers and certain employees establish new guidelines for that data. The draft amendments provide clarity on the duties of those controllers and create a new requirement under the CPA titled "Biometric Identifier Notice."

This rule requires that a biometric identifier notice be provided at or before the collection or processing of biometric identifiers. The information contained in the biometric identifier notice must be clear, concrete, and definitive. The notice has to be reasonably accessible, and it may be a separate notice or linked to from the homepage of a website or mobile app store.

If a link is used, it must be conspicuous and clearly indicate that it relates to biometric identifiers in the link's text. If the notice is provided in a privacy notice, it should be clearly labeled, such that consumers can easily access the section of the privacy notice containing the relevant information. If a controller does not operate a website, the biometric identifier notice must be made available to consumers through a medium regularly used by the controller to interact with consumers.

Additionally, the amendments created another new rule under the CPA titled "Employee Consent To Collect And Process Biometric Identifiers." The proposed rule implements the requirements set forth in HB 1130 and other previously existing CPA regulations. The amendments also redefined "Biometric Data" and "Biometric Identifiers" to parallel the definitions used in HB 1130.

Minors' Data Requirements

Under Senate Bill 041, any business offering an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards as being a minor has a duty to use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature. To that end, the amendments add a definition for a "minor" (any consumer who is under 18 years of age) and a "child" (an individual under 13 years of age).

The amendments also require that controllers obtain consumer consent prior: to processing the personal data of a minor; using any system design feature to significantly increase, sustain, or extend a minor's use of an online service, product, or feature; and selling leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric identifiers.

Additionally, the amendments established further obligations for controllers regarding data protection assessments. This includes requiring an assessment of the "sources and nature of any heightened risk of harm to minors that is reasonable foreseeable result of offering an online service, product, or feature to minors."

Governance of Opinion Letters and Interpretive Guidance

One purpose of the draft amendments was to create a process whereby the Attorney General would be empowered to issue Opinion Letters in response to specific requests from entities (requestors) seeking to understand how the CPA would apply to certain data activities.

Opinion Letters

A request for an Opinion Letter must be fact-specific, and be "prospective in nature, pertaining to an activity that the requestor in good faith specifically plans to undertake." Requests cannot be used for "general question of interpretation, positing a hypothetical situation, or regarding the activities of unrelated persons or entity."

The Attorney General has discretion whether to issue an Opinion Letter and will publish issued opinion letters on the Attorney General's website. If an enforcement action is filed against the requestor regarding the question presented in the Opinion Letter, the requestor "may legally rely upon the Opinion Letter in asserting a good faith reliance defense." However, an Opinion Letter may not form the basis of a good faith reliance defense for persons or entities who were not the subject of the Opinion Letter.

Interpretive Guidance

If the Attorney General declines to issue an Opinion Letter, the Attorney General may still issue Interpretive Guidance, which is informational only and may not serve as the basis for a good faith reliance defense. Any person affected by the CPA may request interpretive guidance from the Attorney General.

The Attorney General has the discretion to change a request from an opinion letter to an interpretive guidance. Additionally, the Attorney General has the authority to issue interpretive guidance when it "believes that such general information will assist an individual, organization, or the general public." Interpretive guidance is "not binding on the Attorney General or Colorado Department of Law with respect to any particular factual situation."

Takeaways for Businesses

The Attorney General's Office held public comments on the draft amendments from September 25, 2024, to November 7, 2024, and a public hearing was held on November 7, 2024. Businesses should be on the lookout for Final Rules.

Once the Final Rules are promulgated, businesses operating in Colorado will need to review their collection of biometric and minor data to ensure compliance. In the meantime, businesses should note that the CPA's right to cure expires on January 1, 2025.