OneTrust DataGuidance confirmed, on 3 October 2022, with David Stauss, Partner at Husch Blackwell, that the Colorado Attorney General ('AG') published, on 30 September 2022, its draft rules implementing the Colorado Privacy Act ('CPA'). In particular, the rules would expand privacy requirements under the CPA and address topics, such as consumer requests, data protection assessments, profiling, and the universal opt-out mechanism.

Furthermore, the current version of the draft rules:

• creates a new definition of biometric data;
• clarifies how controllers must respond to consumer requests;
• provides that controllers must notify consumers of substantive and material changes to privacy notices 15 days before they become effective;
• establishes disclosure requirements around bona fide loyalty programmes;
• provides details on the unified opt-out mechanism requirements;
• mandates controllers to create and enforce document retention schedules;
• creates a new category of sensitive data ('sensitive data inferences'), and requires that inferences from individuals over 13 years of age be deleted no later than 12 hours after collection if controllers collect them without consent;
• elaborates on the right to opt out of profiling;
• provides an analysis of dark patterns and guidance on obtaining user consent; and
• sets out requirements on performing data protection assessments.

You can read the draft rules here.

UPDATE (14 November 2022)

AG releases public comments received from first stakeholders session

The Colorado AG' published, on 10 November 2022, the public comments submitted by stakeholders on proposed draft rules implementing the CPA. In particular, the AG stated that it will produce better rules if it receives diverse input from interested actors.

You can read the comments here.