Colorado Attorney General Identifies CPA Rulemaking Topics and Publishes Data Security Guidance

Download the Privacy Alert!

Colorado Attorney General Identifies CPA Rulemaking Topics and Publishes Data Security Guidance

Why This Privacy Alert is Important:

On January 28, 2022, as part of prepared remarks in celebration of Data Privacy Day, Colorado’s Attorney General (AG) outlined key rulemaking topics his office intends to pursue under the Colorado Privacy Act (CPA), which comes into effect July 1, 2023. He also released a data security best practices guide to help organizations understand what is considered reasonable security in Colorado.

These announcements are important because: (1) they provide new insights into how the Colorado AG will address certain topics in the CPA; and (2) they provide a roadmap for organizations preparing to comply with the CPA and otherwise ensure reasonable security under existing Colorado law.


On July 7, 2021, Colorado became the third state in the US behind California and Virginia to enact a comprehensive data privacy law – the CPA. The CPA, which provides Colorado residents broad new rights over how their data is collected and used by covered organizations, takes effect on July 1, 2023. The Colorado AG has rulemaking authority under the CPA. Until recently, the scope of the Colorado AG’s intended rulemaking process was relatively unknown.

In his remarks on January 28, the Colorado AG outlined his office’s priorities when it comes to drafting these rules, and added additional topics, including: (1) privacy notices and addressing “dark patterns”; (2) processes for requests to access and correction; and (3) auditing and data protection assessments. The AG outlined a two-step approach to the rulemaking process: (1) obtaining public-comment through a series of high-level conversations at meetings and town halls, which will occur soon; and (2) obtaining comments through a formal Notice of Proposed Rulemaking in the fall, which will include a proposed set of model rules.

On the same day, the Colorado AG released a data security best practices guide, outlining key steps organizations can take now to ensure their security practices align with Colorado law. Those steps include: (1) data inventories; (2) developing a written information security policy and incident response plan; (3) managing vendor security; (4) training; (5) following Colorado ransomware guidance; (6) protecting individuals from harm; and (7) regularly reviewing and updating policies.

Download the Privacy Alert to the right to get the full text and expert analysis!

Download the Resource