On December 21, 2023, the Colorado Attorney General released a second draft of the Colorado Privacy Act Rules, revising the previous draft of the proposed rules. Our analysis of the first draft of the rules can be found here. We will publish an in-depth analysis of the second draft, but at a high level, the revisions appear to refine a number of provisions that may have created compliance difficulties. Specifically, the second draft:

  • Removes the requirement that privacy notices be purpose-based, instead requiring only that the processing purpose and type of personal data processed be linked in a way that gives consumers a meaningful understanding of how their personal data will be used. The previous draft's "purposed based" requirement diverged from requirements in other states, notably California's CCPA, and would have made simultaneous compliance difficult.
  • Substantially reduces the information that must be included in data protection assessments.
  • Includes additional protections for companies' trade secrets when responding to consumer requests related to access and data portability.
  • Includes further detail on the "substantive or material" changes to data processing that will trigger the requirement to update privacy notices.
  • Provides more detail about the duty to safeguard Personal Data, including a requirement to consider "[a]pplicable industry standards and frameworks" when identifying reasonable and appropriate safeguards.

The Colorado Attorney General will hold a Rulemaking Hearing on February 1, 2023 and members of the public may provide written comments through February 1, 2023.