colorado privacy act

More Revisions to the Draft Rules of the Colorado Privacy Act

A handful of states are cracking down on the use of consumer personal data by creating and enforcing strict data privacy laws. The most recent action concerns privacy laws in the State of Colorado. For some months now, the State has been working to produce draft rules governing the collection, use, and dissemination of consumer personal information in accordance with the Colorado Privacy Act (“CPA”). The CPA is a part of the State of Colorado’s Consumer Protection Act. The CPA authorizes the Colorado Attorney General (“AG”) to adopt rules governing consumer privacy. According to the AG’s website, it is required to adopt rules that, among other things, set forth the specifications for “one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.”

Changes to Privacy Policies Under the Colorado Privacy Act Draft Rules

Following public comment, the CPA draft rules have been revised on more than one occasion. In fact, the Colorado draft rules have gone through several iterations. In December 2022, the revised rules included particular language governing when and how to notify consumers in the event of changes to a company’s privacy policy. This section was further updated on January 23, 2023. The new language identifies when a Controller must obtain consumer consent: “[i]f a material change rises to the level of a Secondary Use, a Controller must obtain Consent from a Consumer . . . in order to Process Personal Data that was collected before the change to the privacy notice for that Secondary Use.”

What is “Secondary Use” Within the Meaning of the Colorado Privacy Act Draft Rules?

Marketing professionals will certainly appreciate the comprehensive nature of the draft rules. Specifically, when determining whether a controller must obtain consumer consent to a privacy policy change, companies must consider whether the change rises to the level of secondary use. Under the draft rules, the specified processing purpose should be disclosed to consumers before the time that the personal data is collected or processed. This disclosure must be included in any required privacy policy or consent disclosure. As for secondary use, consumer consent is required before processing personal data for purposes that are not reasonably necessary to or compatible with the specified processing purpose(s). 

Please note that consent must be freely given. According to the draft rules, consent is not considered to be freely given when it reflects acceptance of a general or broad Terms of Use agreement, or a similar document that contains descriptions of personal data processing along with other, unrelated information. The upshot of this change is that Colorado wants companies to obtain separate consent from consumers for the use and/or sharing of their data by/with third party marketing companies. This consent should not be bundled with any other consent language.

Additional Updates to the Colorado Privacy Act Draft Rules

The revisions are encapsulated in a 47-page document. Some of the more notable updates affect sections on profiling, universal opt-out measures, and data protection assessments. This is a complicated and cumbersome set of revised rules, which have not even been finalized. Another meeting is scheduled for February 1, 2023, that will address the revised regulations. Please keep in mind that the final rules are scheduled to go into effect on July 1, 2023.

To make sense of these regulations, it is essential that businesses consult with an experienced marketing attorney or risk potential exposure to regulatory action.

If you need assistance with state data privacy compliance, please email us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Related Blog Posts:

Draft Colorado Privacy Act Rules Undergoing Revision

State Privacy Laws In 2023: Are Your Privacy Practices Compliant?

How Does The Colorado Privacy Law Compare To The CCPA?


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »