US State Privacy Update: Colorado AG Identifies CPA Rulemaking Topics and Releases Data Security Best Practices Guidance

On January 28, 2022, as part of prepared remarks in recognition of Global Data Privacy Day, the Colorado Attorney General (AG) outlined key rulemaking topics his office intends to pursue under the Colorado Privacy Act (CPA), a novel new consumer privacy law that takes effect in July 2023, and released a data security best practices guide to help organizations understand what is considered reasonable security in Colorado.

Below we detail these developments, and provide two takeaways for organizations planning for CPA compliance in 2023.

CPA Background

On July 7, 2021, Colorado became the third state in the US behind California and Virginia to enact a comprehensive data privacy law – the CPA. The CPA, which provides Colorado residents broad new rights over how their data is collected and used by covered organizations, takes effect on July 1, 2023. The Colorado AG has rulemaking authority under the CPA. Until recently, the scope of the Colorado AG’s intended rulemaking process was relatively unknown.

CPA Rulemaking Process Overview

The CPA provides three areas the Colorado AG may address in the rulemaking process:

  • Rules detailing the technical specifications for one or more universal opt-out mechanisms that communicate a consumer’s choice concerning the right to opt-out;
  • Rules detailing the submission of data protection assessments; and
  • Rules governing the process of the AG issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense.

In his remarks on January 28, the Colorado AG outlined his office’s priorities when it comes to drafting these rules, and added additional topics, including:

  • Privacy notices and addressing “dark patterns”;
  • Processes for requests to access and correction; and
  • Auditing and data protection assessments.

The AG outlined a two-step approach to the rulemaking process: (1) obtaining public-comment through a series of high-level conversations at meetings and townhalls, which will occur soon; and (2) obtaining comments through a formal Notice of Proposed Rulemaking in the fall, which will include a proposed set of model rules.

Data Protection Guidance

On the same day, the Colorado AG released a data security best practices guide, outlining key steps organizations can take now to ensure their security practices align with Colorado law. Those steps include:

  • Keeping an accurate and up-to-date inventory of the types of data collected, and developing a system for how to store and manage that data;
  • Developing a written information security policy;
  • Adopting a written data incident response plan;
  • Managing the security of vendors;
  • Training employees to prevent and respond to cybersecurity incidents;
  • Following the Colorado Department of Law’s ransomware guidance to improve cybersecurity and resilience against ransomware and other attacks;
  • Timely notification of victims and relevant authorities;
  • Protecting individuals impacted by a data security incident from identity theft and other harm; and
  • Regularly reviewing and updating security policies.

Key Takeaways

Organizations covered under the CPA or otherwise collecting the personal information of Colorado residents should keep the following two takeaways points in mind:

  • Prepare for the CPA now. Although the CPA does not take effect until July 2023, covered organizations should start planning their compliance strategies now to be flexible when the AG’s proposed regulations are released in the fall. Having a plan in place when the regulations are released will allow organizations to navigate the changes proposed by the AG with less burden than creating a compliance program from the ground-up. Organizations can also leverage the experience from the California legislation and rulemaking process when preparing for the release of the new AG rules.
  • Don’t sleep on cybersecurity. The Colorado AG’s data protection guidance makes clear that reasonable security is an affirmative obligation under the CPA and an item that is increasingly the focus of the Colorado AG. As organizations get ready for the CPA, analyzing security programs and auditing existing policies and standards will be critical to mitigating overall risk.