On Sept. 13, the Colorado Attorney General’s Office proposed amendments to the Colorado Privacy Act (CPA) affecting biometric data, children's privacy, and opinion letters.
Biometric data: The amendments build on HB 1130, adding new requirements for companies collecting biometric data. Businesses must provide a "Biometric Identifier Notice" detailing the type of biometric data collected, its purpose, retention period, and whether it will be shared with third parties. Explicit consent is required before selling or sharing biometric information, and employers must comply when collecting employee biometrics.
Children's privacy: Aligned with SB 41, the amendments provide heightened privacy protections for children and minors. They require explicit consent before processing a minor's data or using system design features that significantly increase, sustain, or extend a minor’s use of online services. Companies must also conduct data protection assessments to address risks to minors' privacy.
Opinion letters: The amendments create a process for businesses to request formal opinion letters from the Colorado attorney general. These letters offer binding, formal guidance on compliance with the CPA, giving companies a good-faith defense if they later face CPA violation claims. Additionally, businesses can request non-binding interpretive guidance, though this advice cannot be used as a defense.
If finalized, the amendments are expected to take effect on July 1, 2025. Public comments can be submitted starting on Sept. 25, ahead of the rulemaking hearing on Nov. 7. Companies should review their practices to prepare for compliance with these new obligations.