Data Privacy Alert: Colorado AG Issues Guidance
By Tim Rollins
On January 28, 2022, as part of prepared remarks in celebration of Data Privacy Day, Colorado’s Attorney General (AG) outlined key rulemaking topics his office intends to pursue under the Colorado Privacy Act (CPA), which comes into effect July 1, 2023. He also released a data security best practices guide to help organizations understand what is considered reasonable security in Colorado.
These announcements are important because: (1) they provide new insights into how the Colorado AG will address certain topics in the CPA; and (2) they provide a roadmap for organizations preparing to comply with the CPA and otherwise ensure reasonable security under existing Colorado law.
Overview
On July 7, 2021, Colorado became the third state in the US behind California and Virginia to enact a comprehensive data privacy law – the CPA. The CPA, which provides Colorado residents broad new rights over how their data is collected and used by covered organizations, takes effect on July 1, 2023. The Colorado AG has rulemaking authority under the CPA. Until recently, the scope of the Colorado AG’s intended rulemaking process was relatively unknown.
In his remarks on January 28, the Colorado AG outlined his office’s priorities when it comes to drafting these rules, and added additional topics, including: (1) privacy notices and addressing “dark patterns”; (2) processes for requests to access and correction; and (3) auditing and data protection assessments. The AG outlined a two-step approach to the rulemaking process: (1) obtaining public-comment through a series of high-level conversations at meetings and town halls, which will occur soon; and (2) obtaining comments through a formal Notice of Proposed Rulemaking in the fall, which will include a proposed set of model rules.
On the same day, the Colorado AG released a data security best practices guide, outlining key steps organizations can take now to ensure their security practices align with Colorado law. Those steps include: (1) data inventories; (2) developing a written information security policy and incident response plan; (3) managing vendor security; (4) training; (5) following Colorado ransomware guidance; (6) protecting individuals from harm; and (7) regularly reviewing and updating policies.
Download the Data Privacy Alert Here!
Expert Analysis by Peter Stockburger, Partner, Data Privacy and Security, Dentons
The Colorado AG’s announcement on its intended rulemaking priorities under the CPA is important for organizations preparing for compliance under the CPA as it indicates area of interest for the AG’s office. It’s not surprising the AG will be focusing on “dark patterns” as that is an area of interest in other states with comprehensive data privacy regimes, such as in California. It’s also encouraging that there may be additional detail around the data impact assessment requirements, as that is a novel area introduced under the CPA. The Colorado AG’s announcement regarding data security best practices is likewise helpful for organizations as they prepare for compliance under existing legal regimes.
Although the landscape relating to the CPA remains unclear, organizations should consider the following takeaways from this announcement:
- Start Preparing Now. Covered organizations should start planning their compliance strategies now to be flexible when the AG’s proposed regulations are released in the fall. Having a plan in place when the regulations are released will allow organizations to navigate the changes proposed by the AG and leverage the experience from the California legislation and rulemaking process when preparing for the release of the new AG rules.
- Don’t Sleep on Cybersecurity. The Colorado AG’s data protection guidance makes clear that reasonable security is an affirmative obligation under the CPA and an item that is increasingly the focus of the Colorado AG. As organizations get ready for the CPA, analyzing security programs and auditing existing policies and standards will be critical to mitigating overall risk.
Data Privacy Tip
Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights.