On March 15, 2023, the Colorado Attorney General’s (Colorado AG) office released the final version of the Colorado Privacy Act (ColoPA) rules (the final rules), which are based on public comments on the third version of the rules published on January 27, 2023.1 The final rules were published in the Colorado Register on March 25, 2023. While the final rules are substantially similar to the third version of the proposed rules, there are several notable revisions companies should consider as part of their compliance efforts. Below are some key takeaways from the changes in the final rules.
Privacy Notice Content Requirements (Rule 6.03). The final rules keep the onerous privacy notice requirements from the previous draft. Specifically, controllers must disclose how each category of personal data will be used for each processing purpose. This rule is more detailed than those required by the California Consumer Privacy Act (CCPA) final proposed rules, which allow the processing purposes to be identified more generally and do not require each processing purpose to be linked to a specific category of personal information.
Opt-Out Link Text (Rule 4.03(B)(3)). The final rules add “Your Privacy Choices” as an example of a valid opt-out link text to align with one of the options provided by the CCPA. As a reminder, the CCPA permits businesses to use “Your Privacy Choices” text as a way to simplify links where the business offers an opt-out for “sales” and “sharing” under the CCPA and allows consumers to limit use of their sensitive personal information.
Data Minimization (Rule 6.07(B)). The final rules now require controllers that store photos or voice recordings of Colorado residents to conduct an annual review to ensure that the photos and voice recordings are not kept longer than necessary, adequate, or relevant, even if the controller does not generate any personal data from the files.
In complying with the above consent requirements, however, controllers should keep in mind that if a consumer refuses or withdraws consent for processing sensitive data or personal data that is strictly necessary for a service, the controller is not required to provide that service. (Rule 7.07(D)(1)).
Both the ColoPA and the final rules become effective on July 1, 2023. While companies covered by the CCPA may be able to leverage some of their CCPA compliance efforts to fulfill their obligations under the ColoPA and the final regulations, these regimes do not overlap in a comprehensive way. For example, whereas the California Privacy Protection Agency (CPPA) is just beginning its efforts to draft regulations on risk assessments and profiling, the ColoPA final rules already contain requirements controllers must consider to these ends.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your ColoPA compliance efforts, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Hale Melnick, Clinton Oxford, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
We previously covered the Colorado AG's rulemaking process and pre-rulemaking considerations in the following Wilson Sonsini Alerts: “Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General Announces Privacy Rulemaking,” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”