Approved Colorado Privacy Act Only Awaits State Governor’s Signature

Colorado has joined up with California and Virginia in approving a complete data privacy legislation to protect state citizens. It required a number of amendments before the Colorado Privacy Act was eventually approved unanimously by the Colorado state Senate on June 8, 2021 and currently waits for state governor Jared Polis’ signature.

The Colorado Privacy Act is applicable to all data controllers that do business in Colorado and manage or process the personal information of at least 100,000 Colorado resident customers in a calendar year or get income or obtain a price cut on goods or services from the selling of personal information and process or manage the personal information of at least 25,000 Colorado resident customers.

Exclusions include protected health information (PHI) gathered, processed, or filed by HIPAA-covered entities and their business associates, and any personal information gathered, processed, sold, or shared pursuant to the Gramm-Leach-Bliley Act (GLBA), information managed by the Children’s Online Privacy Protection Act of 1998 (COPPA), and person[s] operating in a business or work context, as a job candidate, or as a beneficiary of somebody working in an employment setting.

The Colorado Privacy Act offers Colorado resident customers five rights with regards to their personal information.

  1. The right not to be included in the processing of personal information for targeted marketing purposes, the selling of their personal information, and programmed profiling in the advancement of decisions that create legal or similarly important results.
  2. The right to gain access to their personal information kept by a data controller.
  3. The right to correction of their personal information in case errors are discovered.
  4. The right to have their personal information removed.
  5. The right to get their information in a mobile and ready-to-use file format.

All entities under the Colorado Privacy Act have the following obligations when they gather and process information.

  • Transparency – Consumers should be informed concerning the rationale for collecting and processing their personal information. When personal information is sold or utilized for targeted marketing, consumers should be well informed. There shouldn’t be any need for consumers to make a new account to avail themselves of one of their rights, nor pay a higher cost or get lower accessibility when availing a consumer right.
  • Purpose of collecting information – Consumers should be advised regarding the particular reasons for which their personal data is being obtained and processed.
  • Data minimization – The personal data obtained and processed should be restricted to what is reasonably required to accomplish the objective for collecting and processing information.
  • Secondary data uses – This should be averted when they are not compatible with the objective for collecting data and the authorization given by consumers.
  • Data security – Data controllers should make sure of the security of personal data to avert unauthorized access.
  • Unlawful discrimination – Collected and processed data should not break federal anti-discrimination legislation.
  • Sensitive data – Sensitive data including information associated to religious beliefs, ethnic origin, sexual orientation, citizenship status, mental or physical wellness, genetic/biometric information, and the personal information of minors – may only be obtained and processed when consumers give their authorization via an opt-in process.
  • Contracts with processors – A data controller needs to sign an agreement with a data processor, and the contract expressing the processor’s duties as per the Colorado Privacy Act.
  • Data protection assessments – A data protection evaluation should be done before any processing activities that have an increased threat of harm to customers.

The Colorado Privacy Act will be effective on July 1, 2023. On July 1, 2024, a year after the effective date, consumers can opt-out of the processing of their personal information for targeted marketing or the selling of their information, through a user-chosen universal opt-out process.

In case of violation of any of the terms of the Colorado Privacy Act, the violation is going to be regarded as a deceitful trade practice. The state Attorney General and district attorneys are allowed to act against entities that committed violations.