As part of the continued movement towards increased privacy regulation, Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law.  On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law. The Act will go into effect on July 1, 2023, with some specific provisions taking effect at later dates.

The Act applies to companies conducting business in Colorado or that produce or deliver commercial products or services targeted to Colorado residents.  These include those that either (1) control or process the personal data pertaining to at least 100,000 consumers during a calendar year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 individuals.

The state’s Attorney General and its district attorneys will enforce the act – it does not provide for a private right of action.

The Act establishes obligations for companies and provides consumers with several new privacy rights, most notably it:

  • Establishes rights of data access, correction, deletion and portability for individuals;
  • Provides individuals with the right to opt out of (1) processing for targeted advertising, and (2) sale of personal data and profiling to arrive at decisions that result in legal or similarly significant effects on an individual;
  • Exempts from the Act’s obligations employee data, de-identified data and publicly available information, as well as data governed by laws such as HIPAA, GLBA and COPPA;
  • Distinguishes between data controllers and data processors, and outlines the duties of each;
  • Imposes a duty of transparency, requiring controllers to provide individuals with a privacy notice containing specified information;
  • Requires controllers to specify the purposes for which they are collecting and processing data;
  • Provides that a controller’s collection of personal data must be adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data is processed;
  • Prohibits controllers from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the data is processed unless consent is obtained;
  • Requires controllers to implement reasonable measures to secure personal data;
  • Prohibits controllers from processing personal data in violation of state or federal laws that prohibit discrimination;
  • Requires opt-in consent for the processing of sensitive data; and
  • Requires companies to carry out data protection impact assessments when processing presents a heightened risk of harm, such as processing personal data for targeted advertising, profiling, sale or processing sensitive data.

The Act also exempts a number of processing activities, such as performing internal operations, protecting a consumer’s vital interests, preventing and detecting fraud or other malicious, deceptive or illegal activity, and conducting internal research to improve, repair or develop products.

In totality, the Act provides for a sea change for companies processing data on Coloradans. Those companies who will fall outside the size exceptions for the number of Colorado consumers will have only two years to get up to speed.  As we have seen with California’s CCPA, getting started early will prove vital to ensuring compliance.