On September 13, 2024, the Colorado Attorney General’s Office (AG) published proposed amendments to the Colorado Privacy Act (CPA) Rules that create new requirements for the collection and use of biometric data and children’s privacy. The proposal also introduces a process for businesses to request guidance from the AG on complying with the CPA.

The proposed rules are designed to align the CPA with two recently enacted state laws, Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, which come into effect starting in 2025.

Comments to the AG’s proposed amendments may be submitted beginning on September 25, 2024, until the November 7, 2024 rulemaking hearing.

Privacy of Biometric Identifiers & Data

Under the draft amendments, businesses must implement a Biometric Identifier Notice that details the types of biometric identifiers collected, the purpose for which such identifiers are collected, the retention period for such identifiers, and whether such identifiers are disclosed to any third-party and for what purpose.

The AG’s proposal also requires businesses to obtain explicit consent from individual’s prior to selling, disclosing, or otherwise disseminating biometric information, building on the opt-in requirement already contained in the CPA.

Notably, the new notice and consent requirements apply to all businesses that collect or process biometric identifiers, even if the business does not otherwise meet the CPA’s applicability threshold. The amendments also apply in the employment context, requiring notice and consent before the collection or disclosure of biometrics from employees. Certain exceptions are built into the consent requirements, including an exception allowing for dissemination of biometric data to processors if necessary for the purpose for which the biometric data was collected and to which the individual consented.

Privacy Protections for Children’s Online Data

The proposed amendments create heightened privacy protections for teenagers by applying requirements to minors (defined as those under 18) in addition to children (defined as those under 13).

Other notable changes related to children’s privacy include requiring explicit consent before processing a minor’s data or before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature. In the case of children, this explicit consent must be obtained from the child’s parent or guardian.

The amendments also expand the scope of data protection assessment obligations for controllers who offer an online service, product, or feature to consumers they know, or willfully disregard, are minors if there is a heightened risk of certain harm to minors, including the risk of a security breach impacting minors’ data. The data protection assessment must include whether and why personal data from minors is processed and identify potential sources and types of heightened risks to minors that are reasonably foreseeable results of offering online services, products, or features to minors. If there is such heightened risk, the controller must establish a plan to mitigate or eliminate this risk.

Opinion Letters

The AG’s proposed amendments provide a method for businesses to request a formal opinion letter from the AG on the CPA’s applicability. These formal opinions would constitute binding guidance, and provide businesses with a good-faith defense against claims of CPA violations. The draft amendments also give businesses the ability to request informal, interpretive guidance from the AG on a non-binding basis.

Our Data Privacy and Cybersecurity practice regularly works with clients to address issues related to biometric data and children’s privacy, as well as the overall process of assessing and implementing privacy compliance requirements. If you have any questions, please do not hesitate to contact any member of our team.