Draft details of how Colorado intends to implement its new consumer privacy law would add requirements that attorneys say companies should consider well ahead of the July 2023 effective date.
Proposed Colorado Privacy Act rules released by the state attorney general’s office provide specifics of how the state intends to bolster consumers’ control over how their personal data is collected, processed, and sold. People can offer feedback at November forums and provide comments through a Feb. 1 rulemaking hearing.
The rulemaking comes as several other states are set to implement consumer privacy mandates in 2023 and California is finalizing expanded rules. Colorado’s draft rules add clarity but also complexity to the patchwork of requirements companies will soon face, said Amy Pimentel, a partner at McDermott Will & Emery LLP.
“My first impression is that they’re extremely long,” Pimentel said of the Colorado draft rules. “I think the big takeaway is that they’re really important to read.”
Utah, Virginia, and Connecticut join Colorado and California in implementing comprehensive privacy laws next year, but California and Colorado are the only states undergoing rulemaking.
State Laws Vary
Colorado’s privacy law will apply to entities that do business in the state or target its residents and meet specific thresholds for the number of consumers whose personal data is controlled, processed, or sold.
Proposed rules on requirements for consumer consent are particularly important, Pimentel said. The Colorado law also gives consumers the right to use universal opt-out mechanisms to signal their privacy preferences across multiple websites. How those rules are finalized will be of interest to the business community, because the requirements could be burdensome.
Colorado’s law will also require businesses to conduct data protection assessments in some cases.
Companies must understand differences in state privacy laws—and the complexity of Colorado’s draft rules could increase the risk of conflicting with another state’s law, Lindsey Tonsager, co-chair of Covington’s global privacy and cybersecurity practice, said in an email.
For example, Colorado and California are proposing different standards on opt-outs of personalized advertising and the sale of data, she said.
“California and Colorado each have pages of regulations containing highly detailed, and often different, requirements for these controls, covering everything from the language that must be used, to their scope, to their placement and format,” Tonsager said.
Complying with requirements in Colorado and California won’t be a “direct translation,” Pimentel said. The California Privacy Protection Agency Board will next consider the state’s draft regulations at meetings Oct. 28 and Oct. 29.
“There are enough differences where you can create a one-size-fits all program, but you need to do it thoughtfully,” Pimentel said.
Still, companies complying with California’s law will have a solid foundation for Colorado, said Liz Harding, technology transactions and data privacy vice chair at Polsinelli.
Nonprofits may have a higher workload complying with Colorado’s law because they don’t fall under California’s law. “That’s where it’s going to be a big lift,” Harding said.
The Colorado attorney general’s office has been willing to listen to input and concerns about implementing the state’s privacy law, said David Stauss, a partner at Husch Blackwell LLP, during a webinar analyzing Colorado’s draft rules. Stauss said to expect changes before the state finalizes rules.
“Feel free to engage in this as much as you can,” he said.
To contact the reporter on this story:
To contact the editors responsible for this story: