A few months ago we wrote about the proposed draft rules for the Colorado Privacy Act (CPA) (“draft rules”). Since then, the Colorado Attorney General’s Office has published two updated versions of the draft rules. The third and latest version of the proposed draft CPA rules was published on January 27, 2023 and the comment period for this version ended on February 3, 2023. Below is a brief high-level overview of some of the key changes made in the past two revisions of the draft rules.

Duty of Care

The revised draft rules provide more details regarding the duty of care requirement, explaining that personal data must be processed in a way that ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of personal data that is collected, stored, and processed. The modified draft rules specify that when considering what reasonable and appropriate safeguards are, controllers should consider the following:

  1. The applicable industry standards, and frameworks;
  2. The nature, size, and complexity of the controller’s organization;
  3. The sensitivity and amount of personal data;
  4. The original source of personal data;
  5. The risk of harm to consumers resulting from unauthorized or unlawful access, use, or degradation of the personal data; and
  6. The burden or cost of safeguards to protect personal data from harm assessed in the risk of harm analysis.

Going further, the revised draft rules highlight the requirements when designing reasonable and appropriate administrative, technical, organization, and physical safeguards. Specifically, these safeguards must:

  1. Protect against unauthorized or unlawful access to, or use of, personal data and the equipment used for the processing and against accidental loss, destruction, or damage;
  2. Ensure the confidentiality, integrity, and availability of personal data collected, stored, and processed;
  3. Identify and protect against reasonably anticipated threats to security or the integrity of information; and
  4. Ensure compliance with data security policies by the controller and processors.

Data Protection Assessments

The revised draft rules consisted of many changes to the content and requirements of data protection assessments. Specifically, the draft rules reduced the number of minimum requirements that data protection assessments must include. The previous draft highlighted 18 points whereas the current draft only includes 13 points. The requirements of a data protection assessments include, but are not limited to:

  1. Summary of the processing activity;
  2. Categories of personal data processed and whether it includes sensitive data or personal data from a child;
  3. Nature and operational elements of the processing activity;
  4. Core purposes of processing activity;
  5. Safeguards and measures the controller has in place to reduce potential risks; and
  6. Information on any internal or external audits that were conducted.


The revisions remove the requirement for controllers to process opt out requests within fifteen days and the draft rules now require controllers to process the requests “as soon as feasibly possible and without undue delay.” The rules also take into account the size and complexity of the controller’s business and the burden of carrying out the opt-out requests. 

In addition, controllers will now have a six month period to recognize the Universal Opt-Out Mechanisms, which are mechanisms that controllers must comply with under the draft rules to help consumers clearly and simply exercise their rights to opt-out. The initial list of Universal Opt-Out Mechanisms that meet the standards of the draft rules will now be published earlier in the year, on January 1, 2024.


The modifications of the draft rules removed the requirement to take steps to verify a consumer’s age before processing the personal data when controllers are operating websites directed to children or knows that they are collecting personal data from children.  Now, the draft rules focus on the controller obtaining consent from a parent or legal guardian when the controller is involved or is aware that there are processing activities involving the collection of personal data from a known child.

Additionally, the revisions to the draft rules now require controllers to refresh consent from consumers when the consumer has not interacted with the controller in the prior 12 months and the controller:

  1. is processing sensitive personal information; or
  2. processing personal data for secondary use and the secondary use includes profiling for a decision that can result in the “provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.”

If the controller provides consumers the access and ability to update their opt-out preferences at any time through a user controller interface, controllers are not required to refresh consent.

As the Colorado Attorney General’s Office finalizes the draft rules, businesses subject to the CPA should keep a look out to understand the key rules and requirements they must follow under the CPA when it becomes effective on July 1, 2023. Taft’s Privacy and Data Security attorneys will continue to monitor the draft CPA rules and other developments relating to the CPA. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.