What do you need to know about the latest revisions to the Colorado CPA Rules?

Some key points:

Universal Opt-Out Mechanism (UOOM)

  • The Universal Opt-Out Mechanism does not need to be tailored only to Colorado or refer to Colorado or to any other specific provisions of the Colorado Privacy Act.
  • The platform, developer, or provider that provides a Universal Opt-Out Mechanism is not obligated to authenticate that a user is a Resident of Colorado. The platform, developer, or provider may provide such authentication capabilities if it chooses.

Privacy Notice

A privacy notice must feature comprehensive description of the Controller’s online and offline Personal Data Processing practices, including, but not limited to, the following information linked in a way that gives Consumers a meaningful understanding of how each category of their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose:

  • The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other Sensitive Data is Processed.
  • Categories shall be described in a level of detail that provides Consumers a meaningful understanding of the type of Personal Data Processed. For example, categories of Personal Data described at a sufficiently granular level of detail include, but are not limited to: “real name,” “contact information,” “government issued identification numbers,” “payment information”, “Information from Cookies,” “data revealing religious affiliation,” and “medical data.”
  • If a material change in a privacy notice rises to the level of a Secondary Use, a Controller must obtain Consent from a Consumer pursuant to 4 CCR 904-3, Rules 7.02-7.05 in order to Process Personal Data that was collected before the change to the privacy notice for that Secondary Use.

Purpose Specification

  • Controllers should not identify one broad purpose to justify numerous Processing activities that are only remotely related.
  • Controllers should not specify so many purposes for which Personal Data could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.
  • If the Processing purpose has evolved beyond the originally expressed purpose, such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the originally expressed purpose, the Controller must review and update all related disclosures and documentation as necessary.


  • Consent is not freely given when it reflects acceptance of a general or broad terms of use or similar document that contains descriptions of Personal Data Processing along with other, unrelated information.
  • A controller shall not request Consent after an opt out using schemes that cause consent fatigue, such as interface dominating cookie banners, high frequency requests, cookie walls, pop-ups, or other interstitials that degrade or obstruct the Consumer’s experience on the Controller’s web page or application.
  • Controller may proactively request Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out, by providing a link to a privacy settings page, menu, or similar interface that enables the Consumer to Consent to the Controller Processing the Personal Data for the Opt-Out Purpose, so long as the request for Consent meets all other requirements for valid Consent.
  • A Consumer’s ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.


  • A data protection assessment shall be a genuine, thoughtful analysis of each Processing activity that presents a heightened risk of harm to a Consumer and that identifies and describes the risks to the rights of consumers associated with the processing.
  • If a data protection assessment conducted for the purpose of complying with another jurisdiction’s law or regulation is not similar in scope and effect to a data protection assessment created pursuant to this section, a Controller may submit that assessment with a supplement that contains any additional information required by this jurisdiction.
  • A Controller shall review and update the data protection assessment as often as appropriate, considering the type, amount and sensitivity of Personal Data Processed and level of risk presented by the Processing, throughout the Processing activity’s lifecycle.