June 7, 2023

Volume XIII, Number 158


June 06, 2023

Subscribe to Latest Legal News and Analysis

June 04, 2023

Subscribe to Latest Legal News and Analysis

Colorado Finalizes Sweeping New Privacy Rules; Iowa Joins the Fray

There has been a flurry of state privacy activity in the past week, with Colorado becoming the latest state to finalize sweeping data privacy rules and Iowa on the precipice of becoming the sixth state to enact comprehensive privacy legislation. Read this article to learn more about how the new Colorado rules go beyond existing California and Virginia laws, as well as how Iowa stacks up against the five other existing state laws.



On March 15, 2023, the Colorado Attorney General’s Office filed the final Colorado Privacy Act rules (together with the underlying Colorado Privacy Act, the Colorado Rules) for publication in the Colorado Register, which will take effect on July 1, 2023. Although the Colorado Rules largely mirror California and Virginia requirements, numerous new obligations go beyond existing law that will require companies to update their compliance programs, including:

  • Additional requirements for deletion requests: Controllers who deny requests to delete must describe the types of data collected from third parties that the company did not delete (this requirement does not apply to data collected directly from the individual).

  • Flow down all data subject rights to processors: Controllers must flow down all data subject requests that controllers honor to processors, including requests to opt out of targeted advertising and sales of personal data. The California and Virginia rules, by contrast, only require flowing down certain requests in limited circumstances.

  • Honor more specific opt-out technologies: California and Colorado both require controllers to honor opt-out preference signals, but Colorado will go further and publish a specific list of universal opt-out mechanisms by January 1, 2024, which will be updated over time. Controllers must honor the specified signals within six months of publication.

  • Detailed privacy notice requirements: Controllers must specify in their privacy notices the express purpose for which each category of personal data is used. Privacy notices must also specify which data subject rights are available to Colorado residents.

  • Granular data protection assessment requirements: Like California and Virginia, the Colorado Rules require controllers to conduct “data protection assessments” when engaging in “higher risk” processing activities, such as processing sensitive data or engaging in selling/targeted advertising. However, unlike California (which has yet to enact regulations) and Virginia (which has limited details), the Colorado Rules require such assessments to include extensive content, including:

    • The nature and operational elements of the processing activity

    • The sources of personal data

    • The technology or processors to be used

    • The names and categories of the personal data recipients

    • Operational details about the processing

    • The core purposes of the processing activity

    • The sources and nature of risks to the rights of consumers

    • Measures and safeguards in place to protect consumers

    • A description of how the benefits of processing outweigh the identified risks.

The Colorado Rules also provide detailed examples showing how to analyze each factor.

  • Detailed consent requirements: The Colorado Rules impose heightened consent requirements, such as when processing sensitive data and making inferences about sensitive characteristics using non-sensitive data. Although consent to process sensitive data is currently required in Virginia, the Colorado Rules add additional granularity and guidance on obtaining such consent.

  • Applicability to nonprofits: Unlike all the other state privacy laws, the Colorado Rules apply to nonprofits that engage in “commercial activity.”


Also on March 15, 2023, Iowa’s legislature unanimously passed Senate File 262 (S.F. 262), making it the sixth US state consumer privacy law once the governor signs the bill into law. The bill closely resembles the Utah Privacy Act, which followed the model set by Virginia, Colorado and Connecticut while loosening or omitting several key provisions. Similar to jurisdictional triggers in other states (except California), the Iowa law would apply to businesses that control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 Iowan consumers. The law contains similar notice, access, deletion, contracting and enforcement provisions as the laws in these other states. However, like Utah’s law, the Iowa bill:

  • Imposes a right to opt out, not opt in, for the processing of “sensitive data”

  • Omits any right to “correct” inaccurate information or to opt out of certain automated “profiling.”

The bill, which will take effect January 1, 2025, if enacted, should not create significant new compliance hurdles for most businesses beyond what is already required under existing US state privacy laws. Businesses should nevertheless ensure they closely review the impending Iowa law and incorporate it into their existing privacy programs.


This year has been off to a busy start with new laws taking effect in California and Virginia, California and Colorado finalizing regulations (both of which will require businesses to materially update their compliance programs) and Iowa jumping into the fray. We can expect to see the US state privacy landscape continue to grow increasingly complex as other states introduce new privacy legislation and move this momentum forward.

© 2023 McDermott Will & EmeryNational Law Review, Volume XIII, Number 83

About this Author

Elliot Golding Business Privacy and Cybersecurity Attorney

Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine...

Kathryn Linsky Cybersecurity and Data Protection Attorney

Kathryn Linsky, CIPP/US, is an experienced privacy, data protection and cybersecurity lawyer counseling on data protection practices throughout the information lifecycle, including compliance with national and international regulations and data processing in emerging technologies.

Kathryn works directly with legal and business stakeholders to advise clients on product and feature development, with a focus on privacy by design. Kathryn is solutions-oriented and skilled in providing practical, business-facing advice, taking into account the...

Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

Saba Bajwa Associate McDermott Will & Emery

Saba Bajwa focuses her practice on privacy and cybersecurity matters. Saba provides compliance advice and guidance on the impact of evolving domestic and international privacy regimes. She has experience advising clients on US and international privacy laws, including the EU General Data Protection Regulation (GDPR), state laws like the California Consumer Privacy Act (CCPA) and similar laws in Virginia, Colorado, Connecticut, and Utah, marketing laws like the CAN-SPAM Act and Telephone Consumer Protection Act (TCPA), and other data security and privacy laws and...