Privacy & Information Security Law Blog

On September 13, 2024, the Colorado Department of Law issued proposed draft amendments to the Colorado Privacy Act (“CPA”) Rules and a notice of proposed rulemaking addressing biometric data, minors’ online privacy, and a framework for opinion letters and interpretative guidance.

Biometric Processing and Protections for a Minor’s Online Activity

One purpose of the draft amendments is to implement statutory changes to the CPA enacted by H.B. 24-1130 (regarding processing of biometric data) and S.B. 24-041 (regarding protections for a minor’s online activity).

H.B. 24-1130 adds definitions to the CPA (i.e., “biometric data”, biometric identifier”) and broadens the CPA’s scope to apply to controllers that control or process biometric identifiers or biometric data. In relation to biometric data/identifiers, H.B. 24-1130 requires processors to maintain specific security breach protocols; and requires controllers to adopt a biometric data policy, fulfill certain obligations before collection or processing, and provide consumers the right to access biometric data. H.B. 24-1130 also imposes obligations relating to the processing of biometric identifiers in the employment context and provides the Department of Law with authority to issue implementing rules.

S.B. 24-041 provides stronger CPA protections for the personal data of minors by creating additional controller and processor obligations, in particular, for controllers to obtain consent for the collection of certain types of personal data or for certain purposes. S.B. 24-041 also establishes additional requirements for data protection assessments that must be conducted when controllers offer online services, products or features to minors.

The proposed draft amendments to the CPA Rules are designed to implement the changes made to the CPA by these two enacted bills. The proposed changes to the CPA Rules include, among others:

• Definitions (Part 2) – minimal revisions to definitions of “biometric data” and “biometric identifiers” to conform to the definitions in the bill; adding a separate definition of “employee” as it applies to the new biometric provisions of the bill; and adding a definition of “minor” to align with the bill;
• Consumer Disclosures (Part 3) – revisions to apply requirements to biometric data policy and minors;
• Consumer Personal Data Rights (Part 4) – revisions to account for additional information a controller must include in response to a request to access biometric data;
• Duties of Controllers (Part 6) – new requirements for biometric identifier notices;
• Consent (Part 7) – revisions regarding obtaining consent prior to certain processing relating to employee biometric identifiers and to minors; and
• Data Protection Assessments (Part 8) – revisions to incorporate data protection assessment requirements relating to minors.

Process of Issuing Opinion Letters and Interpretive Guidance

The other purpose of the draft amendments is to create rules “governing the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation” of the CPA.

The draft amendments address the timing and process for obtaining opinion letters and interpretive guidance. Both are issued by the Colorado Attorney General (“AG”), but interpretive guidance is the AG’s general interpretation of the CPA that is not applied to a specific factual situation, and opinion letters are the AG’s opinions on the application of the CPA to a specific factual situation. The requirements are contained in a new proposed draft (Part 10) of the CPA Rules.

The Department is accepting public input on the proposed draft amendments through a comment portal until Thursday, November 7. A public hearing on the proposed draft amendments will be held on November 7 at 10:00 a.m. MST.