The Colorado Privacy Act (SB190), signed into law on July 8, 2021, is designed to safeguard the privacy of Colorado residents. This comprehensive privacy legislation grants specific privacy rights to individuals, mandates the inclusion of a Privacy Policy on certain websites, and imposes substantial fines for non-compliance. The law is scheduled to take effect on July 1, 2023.

The Colorado attorney general's office has officially completed the regulations for the implementation of the Colorado Privacy Act. These regulations cover various important areas, including universal opt-out mechanisms, data protection impact assessments, user profiling, and transparency. The development of these rules took into account feedback from 137 written comments, allowing for a thorough and inclusive approach. Colorado Attorney General Phil Weiser emphasized the careful consideration given to this feedback, ensuring that the regulations strike a balance between safeguarding consumer rights and providing clear guidance for businesses handling the personal information of Coloradans. With the finalization of these regulations, businesses in Colorado now have a definitive framework to follow in managing data privacy and complying with the Colorado Privacy Act.

The Colorado attorney general's office has recently issued revised draft rules for the Colorado Privacy Act, as reported by Husch Blackwell's "Byte Back." These updated rules are based on the initial draft released in September 2022 and have been shaped by feedback received during three stakeholder sessions held in November 2022. The revisions encompass several aspects, including provisions related to privacy notices, consent requirements, and data protection assessments. Additionally, adjustments have been made to the language regarding universal opt-out mechanisms and dark patterns. The revised draft is now open for public comment until February 1, allowing interested parties to provide their input and insights before the final rules are established.

During his keynote speech at the IAPP Global Privacy Summit 2022 in Washington, D.C., Colorado Attorney General Phil Weiser shed light on his enforcement priorities for the Colorado Privacy Act (CPA). Weiser acknowledged the absence of comprehensive national privacy legislation and emphasized the role of states in filling this gap. Colorado joined the ranks of states asserting their policymaking authority by passing its own privacy law in 2021, becoming the third state to do so. Weiser expressed his preference for a federal law that would establish clear standards and enforcement authority, but highlighted the need for state leadership in the absence of such legislation. As the CPA is set to take effect in 2023, Weiser discussed his approach to implementing and enforcing the law, aiming to ensure robust data privacy and security in Colorado.

During the IAPP Global Privacy Summit 2022, Colorado Attorney General Philip Weiser shared his strategic focus on enforcing the Colorado Privacy Act. Weiser emphasized the importance of differentiating between organizations that unintentionally breach the law and those that deliberately disregard compliance requirements. In alignment with this distinction, his office plans to prioritize enforcement actions against entities displaying "willful noncompliance." By adopting this approach, Weiser aims to ensure that the Colorado Privacy Act is upheld effectively, promoting a culture of data privacy and holding accountable those who purposefully neglect their obligations.

In an effort to promote data security, the Colorado Attorney General's office has released a comprehensive guidance document. This resource outlines crucial measures for protecting sensitive data. As per Colorado law, organizations deemed as covered entities must adhere to notification requirements in the event of a data breach impacting Colorado residents. Specifically, if the breach affects 500 or more Coloradans, affected individuals must be notified, and the Office of the Attorney General must be promptly informed. By following these data security best practices, organizations can uphold their legal obligations and mitigate the risks associated with data breaches.