In September 2024, the Colorado Attorney General’s Office released proposed draft amendments to the Colorado Privacy Act (CPA) Rules. These amendments focus on two major areas: biometric data collection and use, and children’s online privacy. The proposals align the CPA with two recently enacted state laws, Senate Bill 41 (Privacy Protections for Children’s Online Data) and House Bill 1130 (Privacy of Biometric Identifiers & Data), which are set to take effect in 2025. Public comments are being sought until November 7, 2024, before the final rulemaking process begins.
The biometric privacy amendments introduce several new requirements. Businesses that collect biometric data must provide a “Biometric Identifier Notice” to consumers or employees, detailing the type of biometric information collected, the reasons for its collection, and how it will be used or shared. Additionally, businesses would need to obtain explicit consent before selling or sharing biometric data. Employers can collect biometric identifiers as a condition for employment, but only under more restricted circumstances compared to laws like Illinois’s BIPA.
The draft amendments also introduce new rules to enhance privacy protections for minors. It defines a “child” as someone under 13 and a “minor” as under 18, with added safeguards for teens. The amendments expand the scope of required data protection assessments, particularly for services targeting minors. They also mandate explicit consent from parents or guardians before processing personal data of minors or using features that encourage extended use of online services.
To help businesses comply, the draft amendments include a formal process for seeking interpretive guidance and opinion letters from the Colorado Attorney General’s Office. These letters would offer non-binding, but useful, guidance on how the CPA applies to specific situations. Once finalized, the proposed changes are expected to take effect on July 1, 2025, giving businesses a window to adjust their practices in line with the new regulations.
Reference:
