Like California and Virginia, Colorado has passed a comprehensive data privacy law to protect state locals. There were several amendments made before the Colorado Privacy Act went over the line. The state Senate finally passed the Act unanimously on June 8, 2021. Colorado Governor Jared Polis signed the bill on July 7, 2021 and it will become effective starting July 1, 2023.
The Colorado Privacy Act is applicable to every data controller that does business throughout Colorado. Every entity that controls or processes the personal information of at least 100,000 Colorado resident consumers within a calendar year or earns income or get a discount on the cost of products or services from the selling of personal information and process or manage the personal information of at least 25,000 Colorado resident consumers.
Exclusions include protected health information (PHI) collected, processed, or saved by HIPAA-covered entities and business associates, and any personal information collected, processed, sold, or shared pursuant to the Gramm-Leach-Bliley Act (GLBA), information governed by the Children’s Online Privacy Protection Act of 1998 (COPPA), and person[s] acting in a business or work context, as a work applicant, or as a beneficiary of somebody acting in a work context.
The Colorado Privacy Act provides Colorado local consumers five rights relating to their personal information. They have the right to
- opt-out of personal information processing for targeted marketing purposes, the selling of their personal information, and automatic profiling in the advance of decisions that generate legal or equally significant results.
- make modifications to their personal information when errors are found.
- access their personal information kept by a data controller.
- have their information provided in a ready-to-use portable format.
- have their personal information removed
All entities under the Colorado Privacy Act have obligations regarding the information they collect and process.
Transparency – Consumers should be informed regarding the reason why their personal information is collected and processed. When personal information is sold or utilized for targeted marketing, consumers should be advised. Data controllers should not necessitate consumers to make a new account in order to exercise one of their rights, nor raise the cost or lower accessibility dependent on the exercise of the right of a consumer.
Purpose of collection – Consumers should be advised regarding the particular purposes for the collection and processing of personal information.
Data security – Data controllers should make sure to secure personal information to avoid unauthorized access.
Data minimization – The personal information collected and processed should be restricted to what is reasonably required to accomplish the purpose of collecting and processing the data.
Unlawful discrimination – Data obtained and processed should not break federal anti-discrimination regulations.
Secondary data uses – Secondary data uses should be averted when they don’t agree with the purpose for collecting the data and the permission given by consumers.
Sensitive data – Sensitive information like information correlated to religious beliefs, ethnic origin, sexual orientation, mental or physical health, citizenship, genetic/biometric information, and the personal information of minors – may only be obtained and processed when consumers give their permission by means of an opt-in process.
Data protection assessments – A data protection assessment should be done before processing any activities that have an increased risk of causing harm to consumers.
Contracts with processors – A data controller needs to sign an agreement with a data processor, with the agreement mentioning the processor’s obligations covered by the Colorado Privacy Act.
The Colorado Privacy Act will be effective starting July 1, 2023. On July 1, 2024, one year after the date of effectivity, data controllers have to give consumers the ability to opt-out of the use of their personal information for targeted marketing or the selling of their information, through a user-preferred universal opt-out system.
In case of violation of any provision of the Colorado Privacy Act, it will be deemed as a deceitful trade practice. The state Attorney General and district attorneys alone are allowed to take action against violating entities.