Colorado Attorney General Proposes Privacy Act Rules

On September 13, 2024, the Colorado Attorney General published a set of proposed rules for the Colorado Privacy Act. The proposed rules introduce several significant changes aimed at enhancing consumer privacy protections and clarifying the responsibilities of businesses.

1. Biometric Identifier

One major addition in the draft would apply to the collection or processing of “Biometric Identifiers” (defined as data generates by the technological processing, measurement, or analysis for an individual's biological physical, or behavioral characteristics" which can be used “for the purpose of uniquely identifying any individual.”).

Under the proposed rules, companies would be required to put forth a “Biometric Identifier Notice” at or before the collection or processing of any biometric identifiers. This notice must include:

• Concrete and definition terms; and
• Clearly labelled if defined within a larger privacy notice.

The proposed rules also clarify that the Notice must be “reasonably accessible." Examples of “reasonably accessible” notices include a separate notice provided to the consumer or a link that takes the consumer directly to the Notice (and to the specific part of the privacy notice which contains the Biometrics Notice). Such a Notice is required even where the company does not operate a website, and interacts with a consumer entirely offline.

2. Consent

In addition, the proposed rules also set forth additional requirements that required “valid Consumer Consent":

• Prior to processing the personal data of a minor;
• Prior to the use of any system design features which is intended to significantly extend a minor's use of any online system;
• Selling, disclosing, or otherwise disseminating biometric identifiers (subject to certain exceptions).

3. Employee Consent for Biometric Identifiers

The proposed rules add a new rule, Rule 7.09, related to the collection and processing of employee biometrics.

Split into three clauses, this new rule would require:

1. Limitations on whether and when an employee may condition employment on consent to the collection or processing of the employee (or prospective employee's) biometric identifiers.
2. Consent for employees must be consistent with all the requirements for disclosures and communications for consumers more generally so that employees must receive the same level of notice as any consumer would under the Act.
3. Collection of consent must be consistent with the remainder of the Act such that the employee must be able to consent in the same way that any consumer would.

4. Opinion Letters

Finally, the proposed rules would add a substantial new section (Part 10) related to the provision of Opinion Letters. These letters would provide guidance to both covered individuals (including companies subject to the Act) as well as the general public.

a. Request for Opinion Letters

• Eligibility to Request: Any person or entity subject to the CPA can request an opinion letter. This includes businesses, data controllers, data processors, and other stakeholders.
• Submission Process: Requests for opinion letters must be submitted in writing to the Colorado Attorney General’s office. The request should include a detailed description of the specific issue or question for which the opinion is sought.

b. Content of Requests

Requests for opinion letters must contain the following elements:

• Identification of the Requestor: The request must clearly identify the person or entity making the request, including contact information.
• Statement of Facts: A comprehensive statement of the relevant facts and circumstances surrounding the issue or question.
• Specific Questions: Clearly articulated questions or issues for which the opinion is sought.
• Legal Analysis: Any relevant legal analysis or arguments that the requestor believes should be considered by the Attorney General’s office.

c. Issuance of Opinion Letters

• Review Process: Upon receiving a request, the Attorney General’s office will review the submission to determine whether an opinion letter is warranted. This review includes an assessment of the completeness and clarity of the request.
• Consultation: The Attorney General’s office may consult with other relevant state agencies or experts as part of the review process.
• Drafting and Issuance: If the request is accepted, the Attorney General’s office will draft the opinion letter, providing a formal interpretation or clarification of the CPA as it applies to the specific issue or question. The opinion letter will be issued in writing to the requestor.

d. Binding Nature and Publication

• Binding Effect: Opinion letters issued by the Attorney General’s office are binding on the requestor and provide a safe harbor from enforcement actions for the specific conduct described in the request, provided that the facts and circumstances are accurately represented.
• Publication: The Attorney General’s office may publish opinion letters on its website or through other means to provide guidance to the broader public. Published opinion letters will be redacted to remove any confidential or proprietary information.

e. Limitations and Conditions

• Non-Retroactivity: Opinion letters are not retroactive and apply only to the specific facts and circumstances described in the request.
• Revocation or Modification: The Attorney General’s office reserves the right to revoke or modify opinion letters if there are changes in the law or if new information comes to light that affects the original interpretation.

Conclusion

The proposed amendments to the Colorado Privacy Act rules represent a comprehensive effort to strengthen consumer privacy protections and clarify the obligations of businesses handling personal data.

By enhancing consumer rights, imposing stringent obligations on data controllers and processors, and ensuring transparency and accountability, the proposed rules aim to create a robust framework for data privacy in Colorado. In particular, the proposed rules create new obligations for employers and for the handling of biometric information and the personal information of minors.

If your company collects or processes any of this type of information, then these proposed rules may have an effect on your operations and could impact your current website policies.