Update Applicable to:	Important dates
All covered entities	From September 25, 2024 to November 7, 2024: Public Comments   Public Hearing: November 7, 2024

What happened?

On September 13, 2024, the Colorado Attorney General’s office proposed amendments to the Colorado Privacy Act (CPA) Rules to include new laws on biometric and minors’ data. A rulemaking hearing is set for November 7, 2024, with public comments accepted until then.

Quick Summary:

• The amendments are based on three topics to address:
  (1) biometric privacy,
  (2) children’s privacy, and
  (3) opinion letters and interpretive guidance.

• The rulemaking hearing is on Thursday, November 7, 2024, and will accept written public comments from September 25, 2024, until then.

What are the details?

Key points:

The Biometric Bill and the Minors Bill introduce key amendments to the Colorado Privacy Act (CPA).

Biometric Data (HB 24-1130):

• Businesses must provide clear notice before collecting biometric identifiers and obtain consent from employees or prospective employees.
• Controllers need valid consent before selling or leasing biometric identifiers.
• Definitions of “biometric data” and “biometric identifiers” are updated to align with HB 1130.
• Effective July 1, 2025

Minors’ Data (SB 24-041):

• Businesses must exercise reasonable care to avoid harm to minors.
• Consent is required before processing minors’ data for targeted advertising, sale, profiling, or purposes beyond those stated at collection.
• Businesses must conduct data protection assessments and avoid design features that extend minors’ use of services.
• Effective October 1, 2025

Opinion Letters & Interpretative Guidance:

• The proposed amendments allow businesses to request formal opinion letters and informal interpretive guidance from the Attorney General, providing a good-faith defense against CPA violation claims.

• Public Comments: The Attorney General’s office will accept comments from September 25 to November 7, 2024, with a public hearing scheduled for November 7, 2024.

Business Considerations

• Regarding the minor data, employers should make the necessary changes to ensure their policies and practices comply, especially regarding the overall duty, which includes:
  (1) obtaining consent before processing a minor’s data for certain purposes,
  (2) avoiding the use of system design features that significantly increase a minor’s use of your service,
  (3) and limiting the collection of a minor’s precise geolocation data.
• Regarding Biometric data, employers should:
  (1) adopt a clear policy outlining the collection, use, storage, and destruction of biometric data, ensuring it is transparent and easily accessible to employees,
  (2) obtain explicit, clear, and informed consent before collecting biometric data, explaining the reasons for collection and its intended use, and
  (3) limit data collection to the minimum necessary for their purposes, avoiding the collection of irrelevant data.
• Employers should be prepared to request formal opinion letters and informal interpretive guidance from the Attorney General to ensure compliance with the CPA and secure a good-faith defense against potential violation claims.
• Employers should engage in the public comment period from September 25 to November 7, 2024, and attend the public hearing on November 7, 2024, to stay informed and provide feedback on the proposed amendments and give their feedback to the agency.

Source References

• CO Detailed Rulemaking Information
• CO Proposed Draft Amendments
• Attorney General 2024 Colorado Privacy Act rulemaking

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.