Reed Smith In-depth

On September 30, 2022, the Colorado Attorney General’s office (AG) published proposed rules (Rules) for the Colorado Privacy Act (CPA). These draft Rules follow this summer’s California Privacy Rights Act (CPRA) draft regulations. This post highlights several notable differences between the draft CPA and CPRA regulations, including technical details about global privacy controls, new consent requirements, and new sensitive data limitations.


The Rules have been made available for public comment, and the AG will hold a series of stakeholder meetings on November 10, 15, and 17, 2022, followed by a public hearing on February 1, 2023. The CPA goes into effect on July 1, 2023.


The Rules clarify the definition of “Publicly Available Information” by specifically including in the definition “[i]nformation that a controller has a reasonable basis to believe the consumer has made lawfully available to the general public.” This is defined to include (1) information known to be available to the general public; (2) information that a consumer has intentionally made available to the general public; and (3) information that a consumer has made available under federal or state law.

The Rules also specifically exclude the following from the definition of “Publicly Available Information”:

  • Any personal data obtained or processed that constitutes posting a private image for harassment or criminal invasion of privacy
  • Inferences made exclusively from multiple independent sources of publicly available information
  • Biometric Data
  • Genetic Information
  • Publicly Available Information that has been combined with non-publicly available Personal Data
  • Nonconsensual Intimate Images known to the controller

The Rules also distinguish “Automated Processing” where there is human involvement (i.e., meaningful consideration of available data, as well as the authority to change or influence the outcome of the processing) from such processing where there is only a human review, which “does not rise to the level required for Human Involved Automated Processing.” The third category is “Solely Automated Processing,” which has no human review, oversight, involvement, or intervention. The right to opt-out is directed at Solely Automated Processing and Human Reviewed Automated Processing, and controllers may, but do not have to take action on requests to opt-out of profiling based on Human Involved Automated Processing (provided a controller makes other required disclosures).