Colorado is poised to join the growing number of states enacting a comprehensive privacy law.  On Monday, June 7, both houses of the legislature passed the Colorado Privacy Act.  The bill will now be sent to the Governor for approval.  The Colorado Privacy Act:

  • provides consumers with a right to opt-out of processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling;
  • creates consumer rights of access, correction, deletion, and data portability (subject to certain exceptions);
  • restricts controllers from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, without the consumer’s consent;
  • imposes a duty of care to secure personal data; and
  • requires affirmative consent prior to processing sensitive data about the consumer.

The law would apply to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either:  (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more.  However, the law contains exceptions related to HIPAA, GLBA, COPPA, and FERPA.

In addition, the requirements under the Colorado Privacy Act do not restrict the controller’s ability to, among other things, conduct internal research to improve, repair, or develop products, services or technology; identify and repair errors; or perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller.

The Colorado Privacy Act would be enforced by the Colorado Attorney General and District Attorneys, and the Attorney General has rulemaking authority.  If signed into law, the Colorado Privacy Act will go into effect July 1, 2023.

 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.