Colorado is poised to join the growing number of states enacting a comprehensive privacy law.  On Monday, June 7, both houses of the legislature passed the Colorado Privacy Act.  The bill will now be sent to the Governor for approval.  The Colorado Privacy Act:

  • provides consumers with a right to opt-out of processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling;
  • creates consumer rights of access, correction, deletion, and data portability (subject to certain exceptions);
  • restricts controllers from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, without the consumer’s consent;
  • imposes a duty of care to secure personal data; and
  • requires affirmative consent prior to processing sensitive data about the consumer.

The law would apply to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either:  (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more.  However, the law contains exceptions related to HIPAA, GLBA, COPPA, and FERPA.

In addition, the requirements under the Colorado Privacy Act do not restrict the controller’s ability to, among other things, conduct internal research to improve, repair, or develop products, services or technology; identify and repair errors; or perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller.

The Colorado Privacy Act would be enforced by the Colorado Attorney General and District Attorneys, and the Attorney General has rulemaking authority.  If signed into law, the Colorado Privacy Act will go into effect July 1, 2023.

 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in…

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in designing cutting-edge products and services, developing privacy notices and consent forms, strategically engaging with state legislatures, and participating in rulemaking proceedings of state and federal agencies. In particular, Madeline has experience advising clients on compliance with laws implicating children’s privacy.

Madeline also partners with clients in developing content moderation policies and designing products and services that facilitate sharing of user-generated content, analyzing the evolving legal landscape and public policy considerations related to content moderation.

As part of her practice, Madeline represents clients in consumer protection enforcement actions brought by the Federal Trade Commission on topics related to data privacy and advertising.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.