Rulemaking For Colorado Privacy Act Begins

In January Colorado Attorney General Phil Weiser announced key rulemaking topics he will pursue under the Colorado Privacy Act that goes into effect July 1, 2023. His office also released a data security best practices guide to help organizations understand what is considered reasonable security. Those practices include data inventories; developing a written information security policy and incident response plan; managing vendor security; training; following Colorado ransomware guidance; protecting individuals from harm; and regularly reviewing and updating policies. The AG has rulemaking authority under the Privacy Act, but until the January announcement the scope of the rulemaking process was relatively unknown. It will include public-comment through meetings and town halls, and obtaining comments through a formal Notice of Proposed Rulemaking in the fall, which will include a proposed set of model rules.