Proposed Implementing Regs for Colorado Privacy Law Would Impose Consent Requirement

Colorado is set to be one of five states with a data protection law in place in 2023. Most have followed the lead set by California, which by default does not require consent to collect or process personal data. In that sense, California's precedent for the US is a significant departure from the data protection laws in other countries, most notably the pan-European GDPR, which do often feature a consent requirement as the starting position to gather and process consumer information.  

In October, the Colorado Attorney General issued draft regulations to accompany and implement its pending data privacy law. In contrast to California, Colorado would require consent as a threshold for collecting and using data in certain circumstances, namely relating to biometric and sensitive personal data, as well as data used for targeted advertising.  

Why It Matters

It is becoming increasingly important for US businesses to understand what data they collect through websites, apps, normal business and employee communications, and other channels so that they can evaluate whether they comply with the proliferating security and privacy requirements imposed by state data protection laws. Unlike the EU and other western countries/economies, the US has no single privacy standard imposed by a national data protection law. If more states continue to pass data protection laws, even companies at the forefront of compliance may struggle to keep up with new developments. Colorado is the case in point: if Colorado institutes a consent requirement, even companies that comply with California's already-stringent laws may have to re-vamp their notice and collection procedures to remain compliant with new data protection rules.