After the conclusion of the public comment period earlier this month, the Colorado Department of Law adopted amendments to the Colorado Privacy Act (CPA). The Act grants rights to Colorado consumers concerning their personal information, including the right to access, delete, and correct their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling.

The amendments include:

  • Requirements for data controllers (which includes employers) that collect biometrics to provide pre-collection notice to individuals;
  • Specific guidelines on employers’ collection of biometric data, including retention requirements and deletion requirements;
  • Requirement that data controllers obtain consent from any consumer under the age of 18 before the data controller can process personal information; and,
  • New methods for businesses to contact the Colorado Attorney General for guidance on regulatory compliance.

The amendments also include some implementation-friendly clarifications, such as:

  • The required biometric data collection notice can be included in a business’ general privacy notice;
  • Consent for processing the personal information of a minor is only required if the data controller “actually knows or willfully disregards” facts indicating that the consumer is under 18 years of age;
  • Allowing employers to “refresh” consent to collect biometric data (in certain limited circumstances);
  • Attorney-client privilege is not waived when seeking an opinion letter from the Colorado Attorney General after submitting a data protection assessment; and,
  • Data protection assessments submitted to the Colorado Attorney General are exempt from public inspection under the Colorado Open Records Act.

The amendments will become effective 30 days after they are published in the state register. Given this short period, businesses subject to the CPA should start preparing for compliance. To see the amendments, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.