Jan 92025

Colorado Finalizes Privacy Act Rules: Key Updates for Businesses

Colleen Theresa Brown and Ben Cross
, , , ,

The new year brings with it several state privacy law developments, including the effective dates for comprehensive privacy legislation in Delaware, Iowa, Nebraska and New Hampshire.  The effective date of New Jersey’s new privacy law will follow mid-month, on January 15.  Among this flurry of new state law obligations, however, privacy officers should not lose sight of continuing developments in states that help pioneer the wave of state privacy laws, such as in Colorado.

On December 5, 2024, the Colorado Attorney General’s Office finalized rules for the Colorado Privacy Act (CPA). As the final step in the rulemaking process, the State Attorney General issued a formal opinion verifying the constitutionality of the rules on December 16 and the adopted rules were subsequently filed with the Secretary of State and the Office of Legislative Legal Services. The rules will become effective on January 30, 2025.

These rules provide important clarity to businesses and consumers regarding privacy rights and compliance obligations under the CPA, which went into effect on July 1, 2023. At a high level, the rules accomplish two central purposes: (i) modify the existing rules to address laws recently passed by the Colorado legislature related to children’s privacy (SB 41, effective October 1, 2025) and biometric data (HB 1130, effective July 1, 2025); and (ii) solidify the process for issuing opinion letters and interpretive guidance.

I. Key Takeaways – Children’s Privacy

Consistent with the recent wave of legislation and other regulatory developments aimed at protecting children online, the rules impose new obligations on businesses that offer any online service, product, or feature to minors (defined as individuals under the age of 18) as well as children (defined as individuals under the age of 13). Controllers are required to obtain consent when (i) collecting or processing the personal data of a known child, in which case, the child’s parent or lawful guardian must provide consent; or (ii) collecting or processing the personal data of a consumer when the controller has actual knowledge or willfully disregards that the consumer is a minor. Consent is also required before “[u]sing any system design feature to significantly increase, sustain, or extend the use of an online service, product, or feature by a consumer whom the controller actually knows or willfully disregards as a Minor.”

With respect to data protection impact assessments, the rules require that controllers identify whether the categories of personal data to be processed include the personal data of any person under the age of 18, or sensitive data which may include personal data from a known child. Such assessments must also describe the sources and nature of any heightened risk of harm that is a reasonably foreseeable result of offering an online service, product, or feature to minors.

II. Key Takeaways – Biometric Information Requirements

The rules require controllers to provide a plain language notice, in its entirety, at or before the initial collection or processing of any biometric information (i.e., fingerprints, voiceprints, etc., as defined in the rules and statute). The notice may alternatively be made available via a link on the website’s home page, and, if applicable, any mobile application’s app store page or download page. In-scope businesses are similarly required to provide notice before implementing a material change in the processing purpose of any biometric information. Consent is also required before “[s]elling, leasing, trading, disclosing, redisclosing, or otherwise disseminating Biometric Identifiers,” subject to the exceptions in the CPA. Notably, the rules permit a controller’s biometric notice to be included in its general privacy notice so long as the biometric notice is clearly labeled as such.

Controllers are also situationally required to obtain consent before collecting or processing the biometric data of their current or prospective employees. For instance, employers are required to “refresh” consent to collect biometric data in certain scenarios (e.g., before processing an employee’s biometric data or processing a biometric identifier for a secondary use). This is a novel development for the CPA, which has not previously extended any privacy rights to employees.

III. Key Takeaways – Opinion Letters and Interpretive Guidance

Finally, the rules establish various processes for the development of opinion letters and interpretive guidance. These modifications are particularly insightful insofar as they elucidate methods by which companies can seek regulatory guidance from the Colorado AG. In that regard, there are four key takeaways:

  1. The rules now allow opinion letters to serve as a foundation for a good faith reliance defense, extending this protection to individuals or entities not directly involved in the opinion letter request. This extension, however, is contingent on the Attorney General’s sole discretion.
  2. If a data protection assessment is included in a request for an opinion letter, the rules assert that its submission would not forfeit confidentiality or waive any applicable privilege or work product protections.
  3. Opinion letters will continue to be published on the Colorado AG’s website. However, the rules now require the redaction of protected details as defined by the Colorado Open Records Act.
  4. Any individual or entity affected directly or indirectly by the Colorado Privacy Act may request interpretive guidance from the State AG.

IV. Considering Compliance in the New Year

To navigate the complexities of these rules, businesses should consider reviewing and updating their privacy notices and policies to meet CPA-specific requirements. As part of that review, it would be beneficial to look at systems to honor opt-out requests, including universal signals. Companies that process biometric information should consider their consent practices in light of the final rules.  Similarly, companies that process children’s or teen data should consider data protection assessments, and whether any additional disclosure and consent processes will be needed.  Among the myriad of January 2025 privacy developments, Colorado’s regulations are worthy of attention.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Ben Cross

Chicago

bcross@sidley.com

You might also like
NHTSA Proposes Sweeping Voluntary Program for Vehicles With Automated Driving Systems

On December 19, 2024, the Chief Counsel of the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA or the Agency) signed a notice of proposed rulemaking (NPRM) in which the Agency proposed a sweeping voluntary program relating to the evaluation and oversight of motor vehicles equipped with automated driving systems (ADS). NHTSA defines ADS-equipped vehicles, which can also be called autonomous vehicles (AVs), as vehicles designed to fully perform the driving task without any expectation of an attentive human driver.

Looking Ahead to 2025 in EU Cybersecurity Developments

As 2024 draws to a close, we look ahead to notable upcoming cyber developments in the new year. From the adoption of new cyber laws to the initiation of infringement proceedings by the European Commission against a number of EU Member States for alleged failures to adequately implement the EU Network and Information Systems Security 2 Directive, the EU continues to emphasize cybersecurity in a rapidly evolving legal and technological environment. There are no signs of this momentum slowing down in 2025.

CMS Proposes Artificial Intelligence Limits and Utilization Management Guardrails for Medicare Advantage

On December 10, 2024, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule with technical changes for the Medicare Advantage (MA) Program and the Medicare Prescription Drug Benefit Program for Calendar Year 2026 (Proposed Rule). Citing the growing use of Artificial Intelligence (AI) within the healthcare sector and reports that the use of AI may lead to “algorithmic discrimination” that exacerbates inequalities within healthcare, CMS proposes, for the first time, new guardrails that must be adopted by MA plans when using AI to manage patient care. CMS also proposes several reforms addressing utilization management (UM) techniques adopted by MA plans, including requirements for such plans to conduct and report detailed analyses on the use of prior authorizations. Notably, the Proposed Rule primarily modifies MA regulations, without direct application to the Medicare Part D prescription drug program.