Colorado Finalizes Privacy Act Rules: Key Updates for Businesses
The new year brings with it several state privacy law developments, including the effective dates for comprehensive privacy legislation in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Among this flurry of new state law obligations, however, privacy officers should not lose sight of continuing developments in states that helped pioneer the wave of state privacy laws, such as in Colorado.
In December 2024, the Colorado Attorney General’s Office finalized rules for the Colorado Privacy Act (CPA) and they were approved by the state’s Attorney General. The rules modify the existing rules to address amendments to the CPA recently passed by the Colorado legislature related to minors’ online activity (SB 24-041, effective October 1, 2025) and biometric data (HB 24-1130, effective July 1, 2025) and describe in detail the process for issuing Opinion Letters and Interpretive Guidance, as contemplated by provisions in the CPA when it initially was enacted in 2023. The portions of these rules relating to minors’ online activity and biometric data are effective on dates coterminous with the effective date of each amendment; the other provisions of the rules will be effective as of January 30, 2025.
I. Key Takeaways – Amendments Re Minors’ Online Data and Biometric Data Apply to Businesses Not in Scope for Other CPA Provisions.
The amendments regarding minors’ online activities and biometric data each apply to entities that collect or process minors’ personal data or biometric data of Colorado residents, without regard as to whether a business meets existing CPA thresholds (i.e., controlling or processing the personal data of 100,000 or more Colorado residents, or deriving revenue or receiving a discount on the price of goods or services from the sale of personal data and controlling the personal data of 25,000 or more Colorado residents).
The amendments and regulations regarding minors’ online activities apply to entities that offer any “online service, product or feature to [Colorado resident] whom the controller actually knows or willfully disregards” is under the age of 18 and their processors. The biometric privacy amendments and regulations apply to entities that control or process any “biometric identifiers” or “biometric data.”
II. Key Takeaways – Minors’ Online Data Amendments (Effective October 1, 2025)
Consistent with the recent wave of legislation and other regulatory developments aimed at protecting teens online, these CPA amendments extend privacy protections to the personal data of minors under 18 years of age when their data is collected online. The amendments and related regulations require controllers to obtain consent before processing data of minors under 18 for the purposes of (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Consent is also required prior to the collection of minors’ precise geolocation data unless it is limited to what is necessary to provide the product or service and controllers provide a signal to a minor indicating their geolocation data is being collected for the duration of the collection (with an exception for ski area operators). Consent is also required before “[u]sing any system design feature to significantly increase, sustain, or extend the use of an online service, product, or feature by a consumer whom the controller actually knows or willfully disregards as a Minor.”
With respect to data protection impact assessments, the amendment and rules extend existing requirements to assess the sources and nature of risks to Colorado residents’ rights to include any “heightened risk of harm” to minors that is a “reasonable foreseeable result” of offering an online service, product or feature to minors.
The new requirements governing the online collection and processing of minors’ online data generally build upon the CPA’s existing protections for the data of children under 13 (for which opt-in consent is required prior to collection of such data); however, as noted above, because the CPA’s volume of data- or sale of data-based thresholds do not apply to these new amendments and rules, these provisions will apply to some entities that currently are not subject to the CPA.
III. Key Takeaways – Biometric Identifiers and Biometric Data
The CPA biometric privacy amendment ushers in a decidedly different approach to the regulation of biometric data, in several respects.
For example, the amendment governs the collection and use of “biometric identifiers” which it defines broadly to include biometric identifiers that “can” be used (alone or with other data) to identify an individual, even if the collecting entity does not use or intend to use it to identify an individual. This definition is consistent with 2023 FTC biometric privacy guidance, but it is not consistent with many state data privacy laws (including CCPA) that tether the definition of biometric identifiers (and resulting compliance obligations) to a controller’s intention to use the identifier to identify an individual. Most of the compliance obligations under the CPA amendment apply to the collection of such “biometric identifiers.” Several apply only to “biometric data” which is defined as biometric identifiers that are used by a controller for identification purposes.
Using the broad definition of biometric identifiers, the CPA amendment requires consent be obtained for the sale, lease, disclosure or other dissemination of such identifiers and introduce a novel prohibition against the sale of biometric identifiers unless the controller pays the subject an unspecified amount of money and obtains their consent, with some exceptions. This is in addition to existing provisions of the CPA that require consent be obtained prior to the collection of biometric data used to identify an individual.
Data minimization provisions in the CPA biometric data amendment require controllers to conduct reviews at least annually to assess whether continued retention of biometric identifiers is necessary, adequate or relevant to the initial processing purpose, and to publish to the general public guidelines for the deletion of identifiers based upon the results of these reviews. Publication of the controller’s data retention schedule for biometric identifiers is also required. Controllers must also include in their incident response plans provisions that address security incidents that may compromise the security of biometric identifiers and plans for consumer notification in the event of a breach involving such identifiers.
The CPA’s biometric data amendment also represents the first extension of US state data privacy laws to employees and prospective employees outside of California. Specifically, the amendment allows employers to condition employment on the collection of biometric identifiers from employees or prospective employees, without prior consent, provided such identifiers are used for limited purposes including permitting access to certain physical locations and technologies used by the employer (with some limitations); attendance monitoring; and for workplace safety and security purposes. The collection of biometric identifiers from employees and prospective employees for other purposes is permitted with consent, but employment cannot be conditioned on an employee or prospective employee providing such consent.
IV. Key Takeaways – Opinion Letters and Interpretive Guidance
Finally, new CPA rules establish processes by which entities subject to the CPA may request Opinion Letters or Interpretive Guidance from the Attorney General, and the scope and import of such letters and guidance. These rules will be effective on January 30, 2025. Below are four key takeaways:
- Entities subject to the CPA can submit requests, through the Attorney General’s website, for Opinion Letters and Interpretive Guidance. An Opinion Letter is defined as an opinion as to the application of the CPA to a specific factual situation, while Interpretive Guidance is defined as a statement issued by the Attorney General that “calls attention” to a “well-established interpretation or principle” of the CPA without applying it to a specific factual situation.
- If the Attorney General issues an Opinion Letter in response to a request (which it is not obligated to do), the entity that requested the letter may rely upon it in asserting a good faith reliance defense, provided the underlying facts and representation in the request for the letter remain accurate. Notably, entities that have not requested an Opinion Letter cannot use an Opinion Letter obtained by a third party as a good faith reliance defense.
- Interpretive Guidance issued by the Attorney General, even if issued in response to an entity’s request, cannot be relied upon as a good faith defense and is not binding on the Attorney General with respect to any specific factual situation.
- While the Attorney General may only issue an Opinion Letter in response to a request by an entity subject to the CPA, it may issue interpretative guidance sua sponte if the Attorney General believes such information will be of assistance to those who are subject to the CPA.
Opinion Letters and Interpretive Guidance will be published on the Colorado Attorney General’s website.
V. Considering Compliance in the New Year
Businesses and non-profit entities alike that do business in Colorado should carefully review these amendments and regulations and determine if they may now be in scope for at least part of the Colorado Privacy Act and all entities should review these amendments and new regulations to understand compliance obligations moving forward.
Updated as of January 16, 2025.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.