Businesses, non-profits, and other entities that must comply with Colorado’s new Privacy Act (CPA) can now submit feedback on the proposed regulations that the Colorado Attorney General’s Office published on September 29. Though Colorado was the third state to pass a comprehensive privacy law, the CPA and proposed regulations differ from other states’ framework in material ways including declaring that some inferences made about consumers will fall under the CPA’s heightened protections for sensitive information, requiring privacy policy disclosures to be organized according to purpose of collection, and determining which Universal Opt-Out Mechanisms companies will need to honor. 

As part of the rulemaking process, the Attorney General must consider the public’s feedback on the proposed rules before publishing a final version. There are several ways for the public to submit input, including participating in the several feedback sessions the Attorney General held this month, registering for the formal rulemaking hearing in February, and submitting public comments via an online portal.  

Submitting public comments provides a powerful vehicle to voice approval of or concern over the proposed rules. Entities that fall under the scope of the CPA should voice the feasibility of compliance under the proposed regulations because such comments can influence the outcome of the final rules. This can make a difference in issues such as the cost of compliance, website design and user experience, and whether the CPA’s requirements are interoperable with other privacy frameworks (e.g., “CCPA”). 

It is no surprise that several of the 17 public comments that have been made public so far address the CPA’s Universal Opt-Out Mechanism (UOOM) provision that requires website owners to honor consumer opt-out requests communicated through automated means, like a browser signal. One issue at the center of the UOOM requirement is whether controllers should be able to unilaterally reconcile conflicting UOOM signals in favor of a consumer’s privacy settings with a specific business. Other comments request greater clarity for compliance obligations and highlight issues regarding First Amendment considerations, the role of service providers in responding to consumer rights requests, and the scope of privacy assessments. 

The Attorney General posts all submitted comments online and Colorado law requires that comments be included in the official rulemaking record; which the public can request. Entities can submit individual comments or work with their industry associations and other groups to submit comments. The public comment period will close after the rulemaking hearing on February 1, but the Attorney General suggests submitting comments before January 18 to give time to review and incorporate input into the revisions presented at the hearing.  

The CPA and the Attorney General’s enforcement authority will go into effect on July 1, 2023. The CPA’s 30-day cure period sunsets January 1, 2025.