As part of the continued movement towards increased privacy regulation, Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law. On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law. The Act will go into effect on July 1, 2023, with some specific provisions taking effect at later dates.
The Act applies to companies conducting business in Colorado or that produce or deliver commercial products or services targeted to Colorado residents. These include those that either (1) control or process the personal data pertaining to at least 100,000 consumers during a calendar year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 individuals.
The state’s Attorney General and its district attorneys will enforce the act – it does not provide for a private right of action.
The Act establishes obligations for companies and provides consumers with several new privacy rights, most notably it:
The Act also exempts a number of processing activities, such as performing internal operations, protecting a consumer’s vital interests, preventing and detecting fraud or other malicious, deceptive or illegal activity, and conducting internal research to improve, repair or develop products.
In totality, the Act provides for a sea change for companies processing data on Coloradans. Those companies who will fall outside the size exceptions for the number of Colorado consumers will have only two years to get up to speed. As we have seen with California’s CCPA, getting started early will prove vital to ensuring compliance.