The Colorado Privacy Act (CPA) is set to take effect on July 1, 2023. The law, which applies to, among others, many businesses or non-profits that process data of no fewer than 100,000 persons over the course of a year, allows the attorney general to "promulgate rules for the purpose of carrying out" the CPA. Additionally, the law requires the attorney general to "adopt rules that detail technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(I)(a) or (1)(a)(I)(b)." In line with these responsibilities, Attorney General Weiser has publicly stated that his office will provide an official notice of rulemaking and release draft regulations later this year.

While the formal rulemaking process is not scheduled to begin until this fall, the attorney general is currently engaged in a rare "informal pre-rulemaking process" in order to gather additional input from all members of the public before the regulations are drafted. Attorney General Weiser has emphasized the importance of seeking "strong, diverse input from interested persons," including businesses of all sizes that will be subject to the CPA's enforcement regime.

In his April 12 remarks at the International Association of Privacy Professionals Global Privacy Summit, Attorney General Weiser announced that his office was releasing "Pre-Rulemaking Considerations" for the Colorado Privacy Act. These newly released considerations contain "targeted questions for informal input" on topics that would specifically benefit from public feedback. The original document outlining the "PreRulemaking Considerations for the Colorado Privacy Act" can be found HERE. The topics for which Attorney General Weiser requests specific feedback include:

1. Universal Opt-Out

2. Consent

3. Dark Patterns (for obtaining consent)

4. Data Protection Assessment Obligations

5. Profiling and "Legal or Similarly Significant Effects" (arising from automated data processing)

6. Opinion Letters and Interpretive Guidance

7. Offline and Off-Web Collection of Data

8. Protecting Coloradoans in a National Global Economy (and interrelatedness with other data privacy regimes)

9. Additional Topics

Companies doing business in Colorado or who are subject to any of the number of data privacy laws arising across the country should act now to protect their interests in this process and develop internal processes for compliance.