Consumer rights

New privacy laws in 2023 – review of draft regulations in Colorado

November 23, 2022 – Data privacy has been a hot topic throughout 2022. As businesses prepare for 2023, they need to be prepared for upcoming national privacy laws in states such as California and Colorado. In a previous article, (“New Privacy Laws in 2023 – Given Draft Regulations”, Reuters Legal News, November 16, 2022) (, I discussed the significant changes in the California Privacy Rights (CPRA) Updated Draft, which was released on October 17. This article focuses on the draft rules in Colorado.

Colorado Privacy Act Draft Rules Released

The Colorado Attorney General’s Office has released draft rules for the Colorado Privacy Act (CPA). Posted on September 30, 2022, the draft rules explain how the CPA will be implemented when it comes into effect on July 1, 2023. A public comment period began on October 10 and will end on February 1, when the office of the Colorado AG will hold a public hearing. Therefore, we are still months away from seeing the final CPA rules.

Businesses striving to comply with other states’ data protection laws will find that many of the requirements of the CPA’s proposed rules largely overlap with the Consumer Data Protection Act (VCDPA) of California and Virginia. The CPA itself follows the VCDPA quite closely. Nevertheless, important distinctions in the handling of sensitive data, consumer-facing obligations and data management will require careful attention as companies harmonize their privacy practices under various national laws. Below are summaries of some notable distinctions in the CPA’s draft rules.

New definitions

Sensitive data inferences

The draft rules create a new category called “sensitive data inferences”. Using personal information collected from a consumer, a business can infer a category of sensitive data, and those inferences are treated as sensitive data. For example, a company may infer the category of sensitive data about religious beliefs based on the consumer’s disclosure of a dietary restriction.

Generally, inferences of Sensitive Data are treated as Sensitive Data collected directly from the Consumer would be and, therefore, cannot be processed without first obtaining the Consumer’s consent. However, a data controller (i.e. the party collecting the information from the consumer on its own behalf) may process inferences from sensitive data of consumers over the age of 13 without obtaining their consent, under certain conditions. .

Biometric data

The draft rules’ treatment of biometric data resembles that of California’s CPRA in many respects. However, the regulations introduce two new terms, “biometric identifiers” and “biometric data,” which have similarities to Illinois’ biometric information privacy law (a law that often serves as the basis for class action lawsuits).

Biometric identifiers refer to data generated by the processing, measurement or analysis of an individual’s biological, physical or “behavioural” characteristics. Biometric data is a broader term that refers to biometric identifiers used for identification purposes.

Consumer rights and demands


The draft rules’ process for consumers to submit requests, such as access and deletion requests, to companies is similar to those found in the new California Privacy Rights Act (CPRA). A Covered Business’ Submission Methods do not need to be Colorado-specific, but must clearly state that they are available to Colorado consumers, provide all data rights available to Colorado consumers ( including the right of correction, which is not available under the CPRA, but under the CPA), provide a clear explanation of how to exercise consumer rights and meet the general notification requirements of the proposed rules.

Opt-out requests

Consumers must have a method to opt out of the processing of personal data, including sensitive data. This option may be provided directly or via a clear and visible link in its privacy notice and in an easily accessible location outside of its privacy notice.

If an unsubscribe link is used, it must direct the consumer directly to the unsubscribe method. Within 15 days of receiving a valid opt-out request, the processing of that consumer’s personal data must cease.

Authentication of consumer requests

Companies must establish “reasonable” methods to authenticate a consumer submitting a data rights request. The reasonableness of any method depends on the specific rights being exercised, the risk that improper access to personal information could pose to the consumer, and the value, quantity and sensitivity of the personal data associated with the request.

Universal opt-out mechanisms

The draft rules include details on the Universal Unsubscribe Mechanism (UOOM) for an easy way for consumers to exercise their opt-out rights with all controllers they interact with, rather than making individual requests with each. Data controllers must offer consumers the means to provide an affirmative, free and unambiguous choice to opt out of the processing of personal data for the purposes of targeted advertising, sales or both.

The lengthy provisions of UOOM that controllers must adhere to cover notice and choice, acceptable default settings, technical specifications for recognizing and honoring opt-out requests, controllers’ obligations after receiving an opt-out request, and the consumer choice to consent to processing after opting in through a UOOM. The draft rules state that the Colorado Department of Law will maintain a public list of UOOMs that meet the standards of the CPA’s Final Implementing Rules. The list will be created by April 1, 2024.

Obligations of controllers

The draft rules contain obligations for monitors that generally follow those of the CPRA and the VCDPA, but several differences deserve our attention:

• Privacy notices must clearly state what data subject rights are available to Colorado residents. The CPA grants consumers the right to confirm whether a controller is processing their personal data and access to that data; correct inaccuracies in their personal data; to delete their personal data; to obtain a copy of the personal data they provided to the controller in a portable format and to opt out of several types of processing, including the sale of personal data and the use of personal data for the purposes of targeted advertising or profiling producing a legal interest or similar effect.

• Data controllers must disclose the “express purposes” for which each type of personal data is collected and processed in sufficient detail to provide consumers with a “meaningful understanding of how their personal data is used and why their personal data is used.” reasonably necessary for the purpose of the processing.

• The draft rules adhere to the principles of purpose specification and data minimization, where only minimal consumer personal data may be collected for the processing purposes specified at the time of collection. The determination of these purposes should be documented and personal data that identifies consumers should only be retained for as long as necessary, adequate or relevant for the express purpose(s) specified.


Controllers will need to obtain consumer consent for, among other things, the processing of sensitive data. This consent must reflect the consumer’s clear and affirmative choice, be freely given, be specific and informed, and reflect the consumer’s unambiguous agreement to such processing – a standard which mirrors the requirements of the General Data Protection Regulation ( GDPR) of the European Union. The draft rules state that consent can be withdrawn.

The draft rules also introduce the “renewal of consent” requirement, where a company must “renew” consent at indefinite intervals, except for sensitive data, which must be renewed annually. Additionally, the draft rules are consistent with the CPRA draft rules in that both prohibit controllers from using “dark models” that improperly coerce or manipulate a consumer into giving consent. .


The draft rules create three levels of profiling which distinguish processes based on “solely automated processing”, “automated processing controlled by humans” and “automated processing involving humans”. Businesses must designate a way for consumers to opt out of profiling decisions that “produce legal or similar effects” if those decisions are made through automated processing.

They must also provide consumers with a notice that includes a plain language explanation of the logic used in the profiling process and whether the profiling system has been evaluated for accuracy, fairness or bias. A business can refuse a consumer’s request to opt out of profiling if the newly defined “automated processing involving human persons” was used. If so, a more detailed notice should be provided to the consumer.

Data Protection Assessments

When a processing activity poses an “increased risk of harm” to Colorado consumers, the CPA requires companies to complete a “data protection impact assessment” (DPIA). A DPIA should be a “genuine and thoughtful analysis” that covers all aspects of a controller’s organizational structure.

The draft rules list 18 topics that must be included in the DPIA, including the specific purpose of processing, procedural safeguards, names and categories of third party recipients of personal data, and risks to consumers. These DPIAs must be reviewed and updated regularly – and at least once a year with respect to certain profiling decisions.


As with California’s new privacy law, full compliance with the CPA is not yet possible until these regulations are finalized in 2023.

The opinions expressed are those of the author. They do not reflect the views of Reuters News, which is committed to integrity, independence and non-partisanship by principles of trust. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Gary Kibel

Gary Kibel is a partner at Davis+Gilbert LLP, where he is a member of the Privacy + Data Security and Advertising + Marketing practice groups. He offers his clients perspective on cutting-edge issues in digital media, advertising, technology and privacy. He is based in New York and can be reached at [email protected]