Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

US State Privacy Update: Colorado AG Identifies CPA Rulemaking Topics and Releases Data Security Best Practices Guidance

By Peter Stockburger
February 9, 2022
  • Consumer Protection
  • Cybersecurity
  • Enforcement
  • New and Proposed Laws
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On January 28, 2022, as part of prepared remarks in recognition of Global Data Privacy Day, the Colorado Attorney General (AG) outlined key rulemaking topics his office intends to pursue under the Colorado Privacy Act (CPA), a novel new consumer privacy law that takes effect in July 2023, and released a data security best practices guide to help organizations understand what is considered reasonable security in Colorado.

Below we detail these developments, and provide two takeaways for organizations planning for CPA compliance in 2023.

CPA Background

On July 7, 2021, Colorado became the third state in the US behind California and Virginia to enact a comprehensive data privacy law – the CPA. The CPA, which provides Colorado residents broad new rights over how their data is collected and used by covered organizations, takes effect on July 1, 2023. The Colorado AG has rulemaking authority under the CPA. Until recently, the scope of the Colorado AG’s intended rulemaking process was relatively unknown.

CPA Rulemaking Process Overview

The CPA provides three areas the Colorado AG may address in the rulemaking process:

  • Rules detailing the technical specifications for one or more universal opt-out mechanisms that communicate a consumer’s choice concerning the right to opt-out;
  • Rules detailing the submission of data protection assessments; and
  • Rules governing the process of the AG issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense.

In his remarks on January 28, the Colorado AG outlined his office’s priorities when it comes to drafting these rules, and added additional topics, including:

  • Privacy notices and addressing “dark patterns”;
  • Processes for requests to access and correction; and
  • Auditing and data protection assessments.

The AG outlined a two-step approach to the rulemaking process: (1) obtaining public-comment through a series of high-level conversations at meetings and townhalls, which will occur soon; and (2) obtaining comments through a formal Notice of Proposed Rulemaking in the fall, which will include a proposed set of model rules.

Data Protection Guidance

On the same day, the Colorado AG released a data security best practices guide, outlining key steps organizations can take now to ensure their security practices align with Colorado law. Those steps include:

  • Keeping an accurate and up-to-date inventory of the types of data collected, and developing a system for how to store and manage that data;
  • Developing a written information security policy;
  • Adopting a written data incident response plan;
  • Managing the security of vendors;
  • Training employees to prevent and respond to cybersecurity incidents;
  • Following the Colorado Department of Law’s ransomware guidance to improve cybersecurity and resilience against ransomware and other attacks;
  • Timely notification of victims and relevant authorities;
  • Protecting individuals impacted by a data security incident from identity theft and other harm; and
  • Regularly reviewing and updating security policies.

Key Takeaways

Organizations covered under the CPA or otherwise collecting the personal information of Colorado residents should keep the following two takeaways points in mind:

  • Prepare for the CPA now. Although the CPA does not take effect until July 2023, covered organizations should start planning their compliance strategies now to be flexible when the AG’s proposed regulations are released in the fall. Having a plan in place when the regulations are released will allow organizations to navigate the changes proposed by the AG with less burden than creating a compliance program from the ground-up. Organizations can also leverage the experience from the California legislation and rulemaking process when preparing for the release of the new AG rules.
  • Don’t sleep on cybersecurity. The Colorado AG’s data protection guidance makes clear that reasonable security is an affirmative obligation under the CPA and an item that is increasingly the focus of the Colorado AG. As organizations get ready for the CPA, analyzing security programs and auditing existing policies and standards will be critical to mitigating overall risk.
Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

All posts Full bio

RELATED POSTS

  • Data Breach
  • New and Proposed Laws

24 hour Data Breach Notification: More Harm Than Help?

There are certainly many headline-grabbing elements in the European Commission’s proposed Data Protection Regulation – a directly applicable regulation replacing […]

By Simon Elliott
  • Consumer Protection
  • Data Breach
  • Employee Privacy
  • Enforcement
  • Health Information Privacy
  • New and Proposed Laws
  • Privacy Rights
  • United States

The Good, Bad, And The Ugly: Key Takeaways From California’s New Privacy Law

By Peter Stockburger
  • Enforcement
  • Government Information
  • United States

President Trump’s Budget Requests $1.5B For Homeland Security Cyber Unit

By Peter Stockburger

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site