Colorado is poised to join the growing number of states enacting a comprehensive privacy law.  On Monday, June 7, both houses of the legislature passed the Colorado Privacy Act.  The bill will now be sent to the Governor for approval.  The Colorado Privacy Act:

  • provides consumers with a right to opt-out of processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling;
  • creates consumer rights of access, correction, deletion, and data portability (subject to certain exceptions);
  • restricts controllers from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, without the consumer’s consent;
  • imposes a duty of care to secure personal data; and
  • requires affirmative consent prior to processing sensitive data about the consumer.

The law would apply to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either:  (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more.  However, the law contains exceptions related to HIPAA, GLBA, COPPA, and FERPA.

In addition, the requirements under the Colorado Privacy Act do not restrict the controller’s ability to, among other things, conduct internal research to improve, repair, or develop products, services or technology; identify and repair errors; or perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller.

The Colorado Privacy Act would be enforced by the Colorado Attorney General and District Attorneys, and the Attorney General has rulemaking authority.  If signed into law, the Colorado Privacy Act will go into effect July 1, 2023.

 

 

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Libbie Canter Libbie Canter

Libbie Canter is a member of the Communications & Media, Data Privacy and Cybersecurity, and Litigation Practice Groups. She represents and advises clients on matters before Congress and various federal agencies, including the Federal Communications Commission and the Federal Trade Commission.  She has…

Libbie Canter is a member of the Communications & Media, Data Privacy and Cybersecurity, and Litigation Practice Groups. She represents and advises clients on matters before Congress and various federal agencies, including the Federal Communications Commission and the Federal Trade Commission.  She has advised clients on a broad range of privacy issues, including data security breach matters, online and mobile marketing, and social networking policies for employers.  Her legislative work focuses on the areas of communications and media, privacy law, and cloud computing policy.