The Colorado Privacy Act (CPA) is slated to go into effect July 1, 2023. The law, which applies to, among other things, many businesses or nonprofits that process the data of as many as 100,000 people over the course of one year, allows the Attorney General to “promulgate rules for the purpose of enforcement” of the CPA. In addition, the law requires the Attorney General “to adopt rules that detail the technical specifications of one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, free, and unambiguous choice to opt out of data processing. information for the purposes of targeted advertising or the sale of personal data pursuant to Section 6-1-1306 (1)(a)(I)(a) or (1)(a)(I)(b). Consistent with those responsibilities, Attorney General Weiser has publicly stated that his office will provide formal notice of rulemaking and release draft regulations later this year.
While the formal rule-making process isn’t expected to begin until this fall, the Attorney General is currently engaged in a rare “informal pre-rule-making process” to gather additional input from all members of the public before drafting regulations. Attorney General Weiser stressed the importance of getting “strong and diverse input from interested people,” including businesses of all sizes that will be subject to the CPA’s enforcement regime.
In his April 12 remarks to the International Association of Privacy Professionals’ Global Privacy Summit, Attorney General Weiser announced that his office was releasing “prior rulemaking considerations” for Colorado privacy law. These newly released considerations contain “targeted questions for informal comment” on topics that would specifically benefit from public comment. The original document outlining “Preliminary Considerations in Developing Rules for Colorado Privacy Law” can be found HERE. Topics on which Attorney General Weiser is seeking specific comment include:
- Universal deactivation
- Dark Patterns (to obtain consent)
- Data protection assessment obligations
- Profiling and “legal or similar significant effects” (arising from automated data processing)
- Opinion Letters and Interpretation Tips
- Offline and off-web data collection
- Protecting Colorado People in a Global National Economy (and Interdependence with Other Data Privacy Regimes)
- Additional topics
Companies doing business in Colorado or subject to one of the many data privacy laws across the country should act now to protect their interests in this process and develop internal compliance processes. Buchalter’s experienced attorneys can help engage clients directly with the AG office, develop compliant data protection policies, and otherwise assess obligations and participation in the formation of various company data privacy policies. State.