• The Colorado Privacy Act is scheduled to go into effect July 1st, 2023, and the attorney general’s office indicated final rules would be issued soon
  • Companies that handle sensitive information, including during all phases of the employment process, must conduct and document data protection assessments.  These assessments include cataloging and describing all automated employment tools, including whether or not they have been audited for bias
  • Universal opt-out mechanisms must be in place, and a company processing sensitive data must provide people with that opt-out choice.  Concerns were expressed by witnesses around the accuracy of these tools and the risks associated with potential errors









The Colorado Privacy Act (CPA), signed into law 07/07/2021, is one of many new and emerging laws aiming to protect consumer privacy.  This law stands out because it regulates the processing and management of consumer data, capturing both the manual and automated techniques used for processing.  It also regulates the handling of data for employment purposes, broadly defining that scope as anything “having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the Employer-Employee relationship.”





The third and final rules hearing was held 02/01/2023, and the attorney general reviewed some of the updates from the second hearing before public comments were accepted.  For the most part, many of the updates were clarifications (including examples added in the rules text) and edits made for conciseness.  As a result, many of the public comments had to do with providing even greater clarity in some areas, and not necessarily sweeping changes.





There are two main items in the rules that could bring significant changes for employers:





  • Data protection assessments
  • Universal opt-out mechanisms









Data protection assessments





The data protection assessments referred to in the current rules are broad, and would require any employer handling sensitive data, whether for consumer or employment purposes (all are considered “consumers” in this law), to perform an assessment for any tools they use to process, store, retain or share personal data.  These assessments must include justification, intended purpose, and risks of using these tools, and include mitigation measures in place.









Universal opt-out mechanisms





The current draft states that Universal opt-out mechanisms must also be implemented, and allow consumers to opt out of all data processing or for a specific purpose.  It also seems that, at the moment, these mechanisms will need to be approved by the state, and that companies will have a list of approved tools to select from at some point.





Comments were made as to the accuracy of these opt-out mechanisms.  For example, this paper found that:

Even though the majority of analyzed websites offered privacy choices, they were located inconsistently across websites. Furthermore, some privacy choices were rendered unusable by missing or unhelpful information, or by links that did not lead to the stated choice.





It appears that the move to standardize mechanisms through an approval process agree with that paper’s conclusion, that “the standardization of choices through regulation could improve the usability of choices.”









What to expect





Final comments are being accepted through 02/03/2023, and the law goes into effect 07/01/2023.  The attorney general’s office indicated final rules would be issued soon





There is going to be a right to cure violations within 60 days, but that will end January 1st, 2025.





Proceptual can help you design a flexible governance plan to meet your AI compliance needs, including those for Colorado.   Why is this important? Because more and more states are adding laws like this, and our mission is to make the compliance process as simple as possible for you.









Link to the latest rules (as of 02/02/2023)