On July 6, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act. This makes Colorado the third state, behind California and Virginia, to enact comprehensive consumer data privacy legislation. The act becomes effective July 1, 2023.
The Colorado Privacy Act applies to a controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado,” and:
- Controls or processes the personal data of 100,000 or more consumers per calendar year; and/or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.
Among other things, the act does not apply to information that is processed in compliance with the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, the Fair Credit Reporting Act, or the Gramm-Leach-Bliley Act. In fact, financial institutions and affiliates that are subject to the GLBA are themselves exempt. Data maintained for “employment records purposes” is also exempt.
The act provides consumers the right to:
- Opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities;
- Access their personal data;
- Correct inaccurate personal data;
- Delete personal data, in certain circumstances;
- Obtain a copy of their personal data in a readily usable format;
- Appeal a controller’s refusal to act on a request to exercise a right;
- Contact the attorney general with concerns about an appeal.
Sensitive data, which includes genetic or biometric data, personal data from a child and data that reveals certain personal characteristics, cannot be processed without first obtaining consent.
Security Standards/Risk Assessment
If the processing presents a “heightened risk of harm to a consumer,” a controller must conduct and document data processing assessments that “weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.”
Processing presents a “heightened risk of harm” if it is related to: 1) targeted advertising or profiling in certain circumstances; 2) selling personal data; or 3) processing sensitive data.
The act preempts local laws that would seek to regulate the processing of personal data.
The act does not provide a private right of action. If an alleged violation is not cured within 60 days of notice, the attorney general may bring an action under the Colorado Deceptive Trade Practices Act which allows for injunctive relief and civil penalties “of not more than twenty thousand dollars for each violation.” Colo. Rev. Stat. § 6-1-112(1)(a).
The state attorney general is tasked with promulgating rules related to a “universal opt-out mechanism” and may also adopt rules governing the issuance of opinion letters and interpretative guidance.
The Colorado Privacy Act is similar in many ways to the Virginia Consumer Data Protection Act by staying the course in terms of basic consumer data privacy principles while maintaining a generally industry friendly stance. For more information about state data privacy law and compliance click here.