Colorado Privacy Act Passed and Signed into Law
Colorado has joined California and Virginia in passing a comprehensive data privacy law to protect state residents. It has taken several amendments to get the Colorado Privacy Act over the line, but the Act was finally passed unanimously by the state Senate on June 8, 2021. On July 7, 2021, Colorado Governor Jared Polis signed the bill, which will take effect on July 1, 2023.
The Colorado Privacy Act applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.
Exceptions include protected health information collected, processed, or stored by HIPAA-covered entities and their business associates, and any personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), data regulated by the Children’s Online Privacy Protection Act of 1998 (COPPA), and individual[s] acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
The Colorado Privacy Act gives Colorado resident consumers five rights over their personal data.
- The right to opt out of the processing of personal data for targeted advertising purposes, the sale of their personal data, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.
- The right to access their personal data held by a data controller.
- The right to make corrections to their personal data if inaccuracies are identified.
- The right to have their personal data deleted.
- The right to have their data provided in a portable and ready to use format.
All entities covered by the Colorado Privacy Act have responsibilities with respect to the data they collect and process.
- Transparency – Consumers must be notified about the reason for the collection and processing of personal data. If personal data is sold or used for targeted advertising, consumers must be informed. Data controllers must not require consumers to create a new account to exercise one of their rights, nor increase the cost or decrease availability based on the exercising of a consumer right.
- Purpose of collection – Consumers must be informed about the specific purposes for which personal data is being collected and processed.
- Data minimization – The personal data collected and processed must be limited to what is reasonably necessary to achieve the purpose for data collection and processing.
- Secondary data uses – Secondary data uses must be avoided if they are not compatible with the purpose for data collection and the consent provided by consumers.
- Data security – Data controllers must ensure personal data is secured to prevent unauthorized access.
- Unlawful discrimination – Data collected and processed must not violate federal anti-discrimination laws.
- Sensitive data – Sensitive data such as information related to ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors – can only be collected and processed if consumers provide their consent through an opt-in process.
- Contracts with processors – A data controller is required to enter into a contract with a data processor, with the contract stating the processor’s responsibilities under the Colorado Privacy Act.
- Data protection assessments – A data protection assessment must be conducted prior to any processing activities that have a heightened risk of harm to consumers.
The Colorado Privacy Act is due to take effect on July 1, 2023. One year after the effective date on July 1, 2024, data controllers are required to allow consumers to opt out of the processing of their personal data for targeted advertising or the sale of their data, via a user-selected universal opt-out mechanism.
If any of the provisions of the Colorado Privacy Act are violated, the violation will be considered a deceptive trade practice. Only the state Attorney General and district attorneys permitted to take action against entities for violations.