Search Colorado Privacy Act

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other state laws, veer sharply away from the approaches being taken in California in many respects.

Rulemaking Process Timeline 

The Colorado AG will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022. The stakeholder meetings are a forum for the AG to gather feedback from a broad range of stakeholders and aid in the development and finalization of the Rules to implement the CPA. Written comments for stakeholder meetings must be submitted by November 7, 2022.

In addition, the AG may host additional opportunities for public input beyond those listed above if it determines doing so is prudent or necessary to revise the Rules and incorporate stakeholder input. The dates and times of these additional sessions will be announced via the CPA rulemaking mailing list and on the AG’s website.

On February 1, 2023, the AG will hold a public hearing at 10:00 am CST. The hearing will be conducted both in person and by video conference. All interested parties must register to attend the public hearing, which can be done through the AG’s website. Interested parties can also testify at the rulemaking hearing and/or submit written comments through the online CPA rulemaking comment portal.

The February 2023 hearing date marks the end of the public comment period (unless the AG makes substantial modifications to the Rules that would require the rulemaking process to be completed a second time). After the hearing, the AG will have 180 days to file adopted Rules with the Colorado Secretary of State for publication in the Colorado Register. The Rules will then take effect twenty days after publication. The CPA itself goes into effect on July 1 of next year.

Content Highlights

The draft Rules are organized into nine parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (“UOOM”); (6) controller duties; (7) consent; (8) data protection assessments (“DPAs”); and (9) profiling.

While we will be posting a more in-depth analysis of the draft Rules shortly, a few of the more notable aspects of the Rules that jump out immediately are:

  • Privacy Notice Content Requirements: The draft Rules set forth granular requirements as to the content that will be required in CPA-compliant privacy notices. Interestingly, while the Colorado AG has repeatedly emphasized interoperability with other state laws, such as California, the privacy notice requirements encompassed within the draft Rules are tied to processing purposes, rather than categories of personal information, representing a markedly different approach than the current California Consumer Privacy Act (“CCPA”) and proposed, draft California Privacy Rights Act (“CPRA”) regulations. Pursuant to the Rules, each processing purpose must be described “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing Purpose.
  • UOOM Specifications: The draft Rules introduce detailed technical and other specifications regarding the UOOM, Colorado’s version of the global privacy control (“GPC”) concept, which includes requirements for browser/device-based opt-outs, along with a publicly available “Do Not Sell” list akin to the “Do Not Call” list maintained by the FCC.
  • Profiling: The draft Rules prescribe detailed provisions regarding profiling in furtherance of decisions that produce legal or similarly significant effects. We do not yet have CPRA regulations on this topic.
  • Sensitive Data Inferences Duty: The draft Rules create a new category of sensitive data known as “Sensitive Data Inferences,” which means “inferences made by a Controller based on Personal Data, alone or in combination with other data, which individuate an individual’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.” Under the Rules, controllers are limited to processing such inferences only under certain circumstances and must ensure that any inferences of this nature are deleted within 12 hours of collection.
  • Explicit Data Retention Schedule Requirement: The draft Rules also provide that in order to ensure that personal data is “not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” In practice, this means that companies subject to compliance with the CPA will need to create data retention and destruction schedules if they do not already have one in place.

Stay Tuned For More

Please stay tuned for further analysis on these and other provisions in the draft Colorado regs.

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

How to use Cookie Banners and CMPs to Minimize Rather than Create US Privacy Risks: Free CLE Passes Available

Heading to Chicago next week for iTech’s 2026 World Technology Law Conference?

The Colorado AI Act Hits a Wall: Litigation, Legislative Uncertainty, and an Enforcement Standstill

European Court rules on when first access requests may be excessive

Upcoming Speaking Engagements: Insights on Data Privacy, AI, and Cybersecurity

Here We Go Again  ̶  House Republicans Introduce Federal Consumer Privacy Bill

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

The Colorado AI Act (SB24-205) is effectively frozen just weeks before its June 30, 2026 effective date, following a stay in enforcement of the law by a Magistrate Judge in the District of Colorado on April 27, 2026.

Background

By way of background, on April 9, xAI filed suit in federal court seeking to enjoin the law on First Amendment, Dormant Commerce Clause, due process, and equal protection grounds, arguing that the Act’s algorithmic discrimination provisions would compel developers to reengineer model outputs to conform to state-preferred viewpoints. Two weeks later, the Trump DOJ intervened—the first time the federal government has moved to invalidate a state AI law under the President’s December 2025 executive order. xAI and the Colorado Attorney General subsequently filed a Joint Motion to Vacate Scheduling Conference and Suspend Case Deadlines and Stipulation to Temporarily Stay Enforcement (the “Motion”). The magistrate assigned to the case granted the Motion, which has the effect of preventing enforcement of the law by the Colorado Attorney General. The order also requires xAI to submit a motion for preliminary injunction and, if necessary, file an amended complaint, within 28 days after final adoption of rulemaking implementing the AI Act or any legislation that may replace or amend the AI Act.

Legislative Replacement Efforts

Due in part to pressure from the Trump Administration, there is a legislative replacement effort underway. Governor Polis’s AI Policy Work Group released a proposed framework on March 17 that would substantially narrow the Act’s scope to be closer to the CCPA’s automated decision-making technology regulations, add a 90-day cure period, and push the effective date to January 1, 2027. The effort is coming down to the wire. The legislature adjourns May 13, and no bill has been formally introduced. While Colorado can pass a bill in as few as three days, it is unclear whether the political dynamics that have stymied reform through two prior legislative cycles and a special session make nothing certain.

AG Weiser’s Non-Enforcement Commitment

Also relevant is AG Philip Weiser’s voluntary commitment not to enforce the AI Act. In the joint court filing, Weiser’s office stated it will neither promulgate implementing rules nor enforce the Act until after the legislative session concludes and any resulting rulemaking is complete. Given that rulemaking hasn’t even begun, this pushes any realistic enforcement timeline well past June 30 regardless of the litigation outcome—meaningful breathing room for companies that have been building compliance programs around the Act’s impact assessment and disclosure requirements.

Stay tuned to Privacy World for more on this and other developments.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

Over the years, we have followed unsuccessful attempts by Congress to develop a national consumer privacy law. Each time, two key issues have frustrated passage, (1) the degree to which, if at all, a federal law should preempt state consumer privacy laws (CPLs); and (2) if there should be a private right of action. The now 22 state CPLs have all avoided a private right of action, so potentially that issue will not be as contentious this go-around. Also, the 22-state patchwork makes a case for the federal government to at least set a ceiling, if not completely occupy the field. However, California, Colorado, Connecticut, Oregon, Minnesota, Maryland and other states seem intent to maintain a higher level of privacy protection than a baseline, and the Congresspersons and Senators from these higher watermark states may well continue to resist preemption, or at least raise the national bar. The new House Republican bill, the SECURE Data Act, is at best pretty middle of the road compared to the patchwork of state CPLs and would establish a single national regime that completely overrides state CPLs: “No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.” It was introduced along with amendment to the Gramm-Leach-Bliley Act – the GUARD Financial Data Act.  The House Committee on Energy & Commerce sums up both bills here

Continue Reading Here We Go Again  ̶  House Republicans Introduce Federal Consumer Privacy Bill

On April 16, 2026, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (“APDPA”) after a unanimous vote in favor from both chambers of the Alabama legislature.  The APDPA is the 22nd state consumer privacy law overall (counting Florida) and the second one enacted in 2026, following enactment of Oklahoma’s privacy law in March (summarized here).

We highlight key features of the APDPA below.  (We also offer a subscription service that offers details and comparisons (by topic) of state consumer privacy laws (“CPLs”).)

Continue Reading The “Heart of Dixie” Embraces Consumer Privacy

On March 20, 2026, Oklahoma Governor Stitt signed the first new comprehensive state privacy law of 2026. The “Act relating to data privacy” is in force on January 1, 2027. In this post, we compare the new Oklahoma privacy law to the other 20 state consumer privacy laws already in force below.

Continue Reading Oklahoma’s New Privacy Law Sweeps In

In 2025, India’s approach on AI has shifted significantly from, “Will AI change the way business is done?” to “What is the best way to adopt it to enable business expansion?” Guided by the principles of People, Planet, and Progress, “Safe and trusted AI for all” has become the motto governing India’s approach to AI. The evolving digital infrastructure, specific sector-driven regulation, techno-legal philosophy, strength of the powerful Global South, and a strong inclusion narrative are cornerstones to India’s AI journey.

Continue Reading India Issues 2025 AI Governance Guidelines: How It Compares to Other Global AI Acts