data privacy

Draft Colorado Privacy Act Rules Undergoing Revision

On July 7, 2021, Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules (“Rules”). As readers of our blog know, the CPA is a part of the State of Colorado’s Consumer Protection Act. As states enact their own data privacy laws, the resulting provisions are often compared to the California Consumer Privacy Act (“CCPA”). California led the way in data privacy legislation and certainly prompted other states to contemplate how businesses could better address consumer data privacy rights. Please note that Colorado lawmakers have taken their mandate seriously and, as such, seem committed to drafting rules that serve the data privacy interests of state residents.

Process of Revising Colorado Privacy Act Rules

The Colorado Attorney General and Colorado Department of Law are taking what they termed, an “iterative” approach, to the promulgation of CPA Rules. On October 10, 2022, the Colorado Secretary of State published CPA draft rules. In the interest of public involvement and transparency, the Colorado Department of Law has invited feedback from interested and affected parties, both through a written comment portal and through a series of three stakeholder sessions. The latest version of the CPA Rules was updated on December 21, 2022, and, likely, will undergo further revision. In fact, according to the Department of Law, members of the public will have the opportunity to provide oral comment at the formal CPA rulemaking hearing on February 1, 2023. Significantly, State lawmakers have indicated that, “[a]ny revisions to the 12-21-2022 iteration of the proposed draft rules will be made available to the public at least five (5) days prior to the February 1, 2023, rulemaking hearing.”

Latest Version of the Colorado Privacy Act Rules

The updated Rules consist of 40 pages of redlined revisions to the original October 2022 draft. Among the many areas of revision include: the definitions section, privacy policy content, consent and refreshing consent requirements, consumer profiling, duties of controllers, consumer personal data rights (including the right to opt-out, right to access, right to correction, right to deletion), a universal opt-out mechanism, and the need to conduct data protection assessments. As stated above, the Rules continue to be revised and will certainly see another “iteration” or two before they are finalized.

As this is a volatile and unsettled area of the law, it is extremely important to be sure that your marketing efforts continue to be compliant with evolving state data privacy regulations. To be safe, the best course of action is to contact an experienced data privacy attorney. If you need assistance with implementing Colorado privacy law compliance measures, please e-mail us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by Choong Deng Xiang on Unsplash

Related Blog Posts:

How Does The Colorado Privacy Law Compare To The CCPA?

Colorado’s New Automatic Renewal Law Effective January 1, 2022!

California’s Data Privacy Agency CPRA Rulemaking


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

TCPA vicarious tcpa law woman holding cellphone telemarketing laws

TCPA Vicarious Liability

An Illinois federal district court judge recently held that State Farm Mutual Automobile Insurance Company (“State Farm”) may be vicariously liable for alleged Telephone Consumer

Read More »