Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.