Colorado consumer privacy rules will be added to pending business mandates

The draft details of how Colorado plans to implement its new consumer privacy law would add requirements that lawyers say businesses should consider well ahead of the July 2023 effective date.

The proposed Colorado Privacy Act rules released by the Attorney’s Office provide details on how the state intends to increase consumer control over how their personal information is collected, processed and sold. People can provide feedback on the November forums and comment during a rulemaking hearing on February 1st.

The rulemaking comes as several other states implement consumer privacy mandates in 2023 and California finalizes expanded rules. Colorado’s draft rules bring clarity but also complexity to the patchwork of requirements that companies will soon face, said Amy Pimentel, a partner at McDermott Will & Emery LLP.

“My first impression is that they’re extremely long,” Pimentel said of Colorado’s draft rule. “I think the big plus is that it’s really important to read.”

Utah, Virginia and Connecticut are joining Colorado and California to enact sweeping privacy laws next year, but California and Colorado are the only states to enact regulations.

State laws vary

Colorado’s privacy law applies to businesses that do business in the state or serve its residents and meet certain thresholds for the number of consumers whose personal information is controlled, processed, or sold.

Proposed rules on consumer consent requirements are particularly important, Pimentel said. Colorado law also gives consumers the right to use universal opt-out mechanisms to signal their privacy preferences across multiple websites. How these rules are finalized will be of interest to the business community as the requirements could be onerous.

Colorado law also requires companies to conduct privacy audits in some cases.

Businesses need to understand differences in state privacy laws — and the complexity of Colorado’s bills could increase the risk of conflicts with another state’s law, said Lindsey Tonsager, co-chair of Covington’s global privacy and cybersecurity practice, in an e-mail. Mail.

For example, Colorado and California propose different standards for opting out of personalized advertising and selling data, she said.

“California and Colorado each have pages of regulations that contain very detailed and often different requirements for these controls, covering everything from the language to be used, to its scope, to its placement and format,” Tonsager said.

Some overlap

Compliance with Colorado and California requirements is not a “direct translation,” Pimentel said. The board of directors of California’s privacy regulator will next review the state’s draft regulations at meetings on Oct. 28-29.

“There are enough differences where you can put together a program for everyone, but you have to do it carefully,” Pimentel said.

Still, companies that comply with California laws will have a solid foundation for Colorado, said Liz Harding, Polsinelli’s vice chair of technology transactions and privacy.

Nonprofits may have a heavier workload if they comply with Colorado laws because they are not governed by California laws. “There’s going to be a big upswing here,” Harding said.

The Colorado Attorney General’s office was ready to hear suggestions and concerns about the state’s implementation of the state’s privacy law, said David Stauss, a partner at Husch Blackwell LLP, during a webinar analyzing Colorado’s draft legislation. Stauss said he expects changes before the state sets the rules.

“Feel free to delve into it as much as you can,” he said.


Leave a Reply

Your email address will not be published. Required fields are marked *