Colorado Privacy Law Regulations Finalized: Time to Review Information Practices
Tuesday, March 28, 2023
Regulations Finalized for CO Privacy Law
Print Mail Download i

Colorado’s Privacy Act regulations have now been finalized, in advance of the law’s July 1 effective date. As we have written previously, the Colorado privacy law applies to companies that conduct business in the state and either (1) control or process personal data of 100,000 Colorado consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado consumers. The law mirrors in many ways the comprehensive privacy laws of other states.

Additionally, among its many requirements, the law holds that by July 1, 2024, consumers must be able to opt-out of targeted advertising or the sale of information through a universal opt-out mechanism. The Attorney General was to promulgate and adopt rules relating to the law’s opt-out mechanisms by July 1, 2023. Those rules were to establish technical opt-out specifications. Draft regulations addressing this were released in December, and have now been finalized.

As indicated in the draft in December, and continued in the finalized version, the Colorado AG will release a list of Universal Opt-Out Mechanisms that meet the requirements of the regulations by January 1, 2024. Additional mechanisms may be added after that time, and companies will have six months from when they are added to the list to respect signals from the new mechanism. As we indicated in December, the regulations contain more requirements than simply issues relating to opt-out mechanisms. Among the many details are more information about:

  • Notices: The regulations clarify that privacy notices (as required under 6-1-1308) should be in “plain language” and avoid “technical or legal jargon.” They should also be accessible to those with disabilities, following standards like W3C guidelines and be straightforward and accurate.

  • Rights Requests: For rights requests (under 6-1-1306), the regulations clarify that the mechanism does not need to be specific to Colorado, but should indicate which rights are being made available by the company to Colorado residents. The regulations further clarify that the only information that should be collected as part of the process is what the company needs to process the consumer’s request. The regulations also significantly build on the law’s access right details, mirroring in many ways the process that exists in California. This includes a requirement that companies give people “specific pieces” of personal information, including information created by the company (marketing profiles, inferences, etc.). The company does not need, however, to give financial account, medical information, or other similar sensitive information. The regulations also provide that records of rights requests be maintained for at least 24 months.

  • Data Minimization: The law contains restrictions on the amount of information companies can collect (namely 6-1-1308’s requirement that it be limited to that which is reasonably necessary for the purpose for which the company is processing data). The regulations build on this by requiring that companies review annually if they need to maintain biometric identifiers. This assessment should be documented in writing. The regulations also specify that companies should not collect information except that which it lists in its privacy policy. 

  • Consent: Under the Colorado Privacy Law, consent is needed in some specific situations, including to (a) process sensitive information and (b) process information about a child. Consent can be obtained before July 1, 2023 as long as it meets with the regulations’ requirements. Consent must be provided through a clear, affirmative action, be freely given and specific. The regulations provide more detail about what this means. For example, they specify that a pre-checked box or “blanket acceptance of general terms and conditions” are not sufficient. Similarly, if consent is being sought for multiple things and those items are “not reasonably necessary to or compatible with one another” then people must be able to provide separate consents.

Putting it into Practice: Now that the Colorado regulations have been finalized, companies subject to the law can more easily move forward with their compliance activities. This includes review of privacy policies, targeted advertising activities, rights request processing, data minimization, consent reviews, and more.

Kathryn Smith, a fellow in the firm's Chicago office, also authored this article. 

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors
by: Townsend L. Bourne , Jordan Mallory
FTC Votes to Ban Noncompete Agreements
by: John D. Carroll , Leo Caseria
Treasury Department Proposes to Sharpen the Teeth of CFIUS Enforcement
by: Brian D. Weimer , Douglas A. "Drew" Svor
Mother May I? Florida and Utah Recently Regulations for Minor Use of Social Media Platforms
by: Snehal Desai
Supreme Court Holds “Pure Omissions” Are Not Actionable Under Rule 10b-5(b)
by: John P. Stigi III , Kristin P. Housh
Utah Breach Notice Law Amended, Effective May 1
by: Liisa M. Thomas
Organizational Integrity Shorts: The Importance of Post-Investigation Activities
by: Jonathan S. Aronie , A. Joseph Jay, III
Artificial Intelligence Highlights from FTC’s 2024 PrivacyCon
by: Carolyn V. Metnick , Gianfranco Spinelli
California’s AB 3129: A New Hurdle for Private Equity Health Care Transactions on the Horizon?
by: John D. Carroll , Matthew J. Goldman
Divided 9th Circuit Says District Court Has Power to Adjudicate TM Applications
by: Sofya Asatryan

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins