On October 1, 2022, the Colorado Attorney General‘s Office announced that it had submitted the first draft of its Rules implementing the Colorado Privacy Act.

The draft Colorado Rules run only 38 pages long—in notable contrast to the draft California regulations that run 66 pages (albeit in redline).  Moreover, the draft Colorado Rules address several important issues that were notably absent from the draft California regulations, including regulations on profiling, data protection assessments (also known as data protection impact assessments and privacy risk assessments under other laws), and the universal opt-out mechanism.

We will be doing deep dives into the Rules, but at first review, it appears that the draft Colorado Rules follow the principle-guided rule making approach Attorney General Weiser discussed at the Colorado Privacy Summit as opposed to a hyper-prescriptive model. 

In addition to the draft Rules, the Colorado Attorney General also released a Notice of Proposed Rulemaking.  Similar to the Pre-Rulemaking considerations, the Attorney General invited comments generally, but especially on specifically listed topics, including the definitions, the consumer personal data rights, the universal opt-out mechanism, controller obligations, loyalty programs, consent, data protection assessments, and profiling. 

The draft Rules will be published in the Colorado Register and available for comment on October 10, 2022.

Subscribe to the CyberAdviser blog to see further analysis on the Colorado and California regulations, as well as other important privacy updates.