The Colorado attorney general’s office sent shockwaves throughout the privacy world on September 30, 2022, when it published its proposed Colorado Privacy Act (CPA) draft rules (Draft Rules). The Draft Rules are complex and comprehensive; at 38 pages of single-spaced text, they are longer than the CPA itself. The Draft Rules are accompanied by a proposed timeline for stakeholder meetings and a public hearing.
Coming on the heels of this announcement, on October 10, California announced that it will hold meetings on October 21 and October 22 to discuss “possible adoption or modification of the text [of the draft California Privacy Rights Act (CPRA) regulations].”
Below we outline and analyze some of the key provisions of the Draft Rules and call out certain differences between the Colorado Draft Rules and the CPRA draft regulations released in May.