March 21, 2023

Colorado Finalizes Sweeping New Privacy Rules; Iowa Joins the Fray

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

There has been a flurry of state privacy activity in the past week, with Colorado becoming the latest state to finalize sweeping data privacy rules and Iowa on the precipice of becoming the sixth state to enact comprehensive privacy legislation. Read this article to learn more about how the new Colorado rules go beyond existing California and Virginia laws, as well as how Iowa stacks up against the five other existing state laws.



On March 15, 2023, the Colorado Attorney General's Office filed the final Colorado Privacy Act rules (together with the underlying Colorado Privacy Act, the Colorado Rules) for publication in the Colorado Register, which will take effect on July 1, 2023. Although the Colorado Rules largely mirror California and Virginia requirements, numerous new obligations go beyond existing law that will require companies to update their compliance programs, including:

  • Additional requirements for deletion requests: Controllers who deny requests to delete must describe the types of data collected from third parties that the company did not delete (this requirement does not apply to data collected directly from the individual).
  • Flow down all data subject rights to processors: Controllers must flow down all data subject requests that controllers honor to processors, including requests to opt out of targeted advertising and sales of personal data. The California and Virginia rules, by contrast, only require flowing down certain requests in limited circumstances.
  • Honor more specific opt-out technologies: California and Colorado both require controllers to honor opt-out preference signals, but Colorado will go further and publish a specific list of universal opt-out mechanisms by January 1, 2024, which will be updated over time. Controllers must honor the specified signals within six months of publication.
  • Detailed privacy notice requirements: Controllers must specify in their privacy notices the express purpose for which each category of personal data is used. Privacy notices must also specify which data subject rights are available to Colorado residents.
  • Granular data protection assessment requirements: Like California and Virginia, the Colorado Rules require controllers to conduct "data protection assessments" when engaging in "higher risk" processing activities, such as processing sensitive data or engaging in selling/targeted advertising. However, unlike California (which has yet to enact regulations) and Virginia (which has limited details), the Colorado Rules require such assessments to include extensive content, including:
    • The nature and operational elements of the processing activity
    • The sources of personal data
    • The technology or processors to be used
    • The names and categories of the personal data recipients
    • Operational details about the processing
    • The core purposes of the processing activity
    • The sources and nature of risks to the rights of consumers
    • Measures and safeguards in place to protect consumers
    • A description of how the benefits of processing outweigh the identified risks.

The Colorado Rules also provide detailed examples showing how to analyze each factor.

  • Detailed consent requirements: The Colorado Rules impose heightened consent requirements, such as when processing sensitive data and making inferences about sensitive characteristics using non-sensitive data. Although consent to process sensitive data is currently required in Virginia, the Colorado Rules add additional granularity and guidance on obtaining such consent.
  • Applicability to nonprofits: Unlike all the other state privacy laws, the Colorado Rules apply to nonprofits that engage in "commercial activity."


Also on March 15, 2023, Iowa's legislature unanimously passed Senate File 262 (S.F. 262), making it the sixth US state consumer privacy law once the governor signs the bill into law. The bill closely resembles the Utah Privacy Act, which followed the model set by Virginia, Colorado and Connecticut while loosening or omitting several key provisions. Similar to jurisdictional triggers in other states (except California), the Iowa law would apply to businesses that control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 Iowan consumers. The law contains similar notice, access, deletion, contracting and enforcement provisions as the laws in these other states. However, like Utah's law, the Iowa bill:

  • Imposes a right to opt out, not opt in, for the processing of "sensitive data"
  • Omits any right to "correct" inaccurate information or to opt out of certain automated "profiling."

The bill, which will take effect January 1, 2025, if enacted, should not create significant new compliance hurdles for most businesses beyond what is already required under existing US state privacy laws. Businesses should nevertheless ensure they closely review the impending Iowa law and incorporate it into their existing privacy programs.


This year has been off to a busy start with new laws taking effect in California and Virginia, California and Colorado finalizing regulations (both of which will require businesses to materially update their compliance programs) and Iowa jumping into the fray. We can expect to see the US state privacy landscape continue to grow increasingly complex as other states introduce new privacy legislation and move this momentum forward. Companies looking for help navigating these complex rules and practical, risk-based compliance recommendations should reach out to one of the authors of this article or your regular McDermott contact.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

On the Road Again: Alternative Designs May Impact Trade Dress Functionality Analysis

By Kavya Rallabhandi McDermott Will & Emery May 25 , 2023

The US Court of Appeals for the Sixth Circuit reversed and remanded a summary judgment ruling, finding that there were genuine disputes of material fact regarding whether the plaintiff’s alleged trade dress was functional and therefore excluded from trade dress protection.

Elevate the $: Geographic Isolation Helps Defeat Trademark Infringement Claim

By Kat Lynch McDermott Will & Emery May 25 , 2023

In a case between similarly named banks, the US Court of Appeals for the Tenth Circuit confirmed expert disclosure requirements, conducted a de novo likelihood of confusion analysis and ultimately upheld a finding of no trademark infringement.

First Circuit: Claim Preclusion Shouldn't Apply to Bar Claims Under VARA

By Hannah Cohen McDermott Will & Emery May 25 , 2023

Addressing for the first time whether federal res judicata law recognizes the alternative determinations doctrine, the US Court of Appeals for the First Circuit determined that a plaintiff’s claims under the Visual Artists Rights Act (VARA) were not precluded by a previous action in which she brought a federal copyright claim against the defendant.

More From Privacy

On the Road Again: Alternative Designs May Impact Trade Dress Functionality Analysis

By Kavya Rallabhandi McDermott Will & Emery May 25 , 2023

The US Court of Appeals for the Sixth Circuit reversed and remanded a summary judgment ruling, finding that there were genuine disputes of material fact regarding whether the plaintiff’s alleged trade dress was functional and therefore excluded from trade dress protection.

Processing Sensitive Personal Information under U.S. State Privacy Laws

By Zachary S. Schapiro Greenberg Traurig May 23 , 2023

As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT).

Labor Department Releases New Guidance on Agency Enforcement of PUMP for Nursing Mothers Act

By Patricia Anderson Pryor Jackson Lewis P.C. May 19 , 2023

The U.S. Department of Labor Wage and Hour Division (WHD) has published guidance for agency officials responsible for enforcing the “pump at work” provisions of the Fair Labor Standards Act (FLSA), including those enacted under the 2022 Providing Urgent Maternal Protections for Nursing Mothers Act (PUMP Act).

Featured Stories