Science & Technology

Colorado Privacy Law-Blog Series (Part I)

The Colorado Privacy Act was passed by both Houses on June 8, and is currently awaiting the enactment of the Governor’s signature. As with any other omnibus law passed in the United States (especially California and Virginia), there are many details to check. Colorado is probably an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include opt-out of certain processing activities such as consumer rights, privacy notices, and sales of personal data.

The governor usually takes 10 days to sign, but due to the end of the legislative assembly in 2021, it takes 30 days to sign or reject (Colo. Const. Art. IV, Section 11). If he does neither, it will be the law by default. If you pass, The effective date is July 1, 2023. Unless a referendum petition has been submitted. In some cases, the law and its enforcement date are subject to the election protocol.

Considering the scope of Colorado Privacy Law, we offer a four-part blog series to address all components.

  • Part I – Overview
  • Part II – Consumer Rights and How to Implement a Response Program
  • Part III-Agree with special processing activities (targeted advertising, sales, profiling)
  • Part IV – Party and Contract Responsibilities

It’s easy to see the similarities and differences with omnibus privacy laws in other states. Like Virginia, Colorado has adopted many of the European Union’s General Data Protection Regulation concepts, such as controllers and processors. controller Being “a person who decides the purpose and means of processing personal data alone or jointly”. Similarly processor A person who “processes personal data on behalf of the administrator”. However, Colorado does provide instructions on when the processor will become a controller through action.

Colorado has made it clear that the decisions of administrators and processors are “factual decisions that depend on the circumstances in which personal data is processed” (s.6-1-1305 (7)). A processor that does not follow the contractual controller’s instructions is considered a controller according to the controller’s requirements.

personal data Is “information that is or may be reasonably linked to an identified or identifiable individual,” but does not include anonymized or publicly available information.

Another important term is consumer – A Colorado resident who “acts only in personal or family situations” but “does not act in commercials” [B2B] Or the employment situation as a job seeker, or the beneficiary of someone who acts in the employment situation. “

Who is subject to the Colorado Privacy Act?

The Colorado Privacy Act (“CPA”) states that in addition to an administrator who operates in Colorado or manufactures or provides commercial products or services that are intentionally targeted to Colorado residents, one of two items: Applies to.

  • Manage or process the personal data of more than 100,000 consumers during a calendar year, or
  • Revenue from the sale of personal data or receive discounts on prices of goods and services to process or manage the personal data of at least 25,000 consumers (Colorado residents), but for B2B and employment status It’s outside.

“CPA definition of”SaleIs similar to California in that it is not limited to the pure monetary exchange of personal data, but it does include “other valuable considerations”. There are exceptions, such as disclosure from managers to processors for activities on behalf of managers, as requested by consumers or to facilitate mergers and acquisitions. It also excludes intentional consumer disclosure, such as using a controller to interact with a third party or using the mass media to disclose to the general public.

There are also a wide range of exceptions to common CPA (s. 6-1-1304 (2)). For example, CPA does not apply to protected health information under the Health Insurance Portability and Accountability Act (“HIPAA” with subsequent amendments), or the Gramm-Leach-Billy Act (“GLBA”). ”), Personal data regulated under the Children’s Online Privacy Protection Act (“COPPA”), or the Family Education Rights Act (“FERPA”), and quite a few other widespread exceptions.


The CPA does not have the right to act privately and states that any breach of the CPA cannot be used as a basis for supporting the right to act privately under other laws.

The Attorney General and the District Attorney have exclusive authority to enforce, including injunctions, reconciliations, and penalties. Enforcement details are based on Section 1 of the Colorado Amendment Act (Colorado Consumer Protection Act), with fines of up to $ 2,000 for each breach. This is a set of related violations for each consumer or transaction. Section 6 of the Colorado Amendment Act covers consumer and commercial affairs covering a myriad of topics, from fair trade to health insurance co-operatives. The Colorado Consumer Protection Act is included in Article 1 – Fair Trade and Trade Restrictions. Notification of security breach Specific provisions under Part 7.

After it goes into effect, the AG or the district attorney may issue a notice of CPA breach before taking enforcement action, given the 60-day grace period, which the AG or district attorney believes can correct the breach. This is only allowed for the first year and a half. On January 1, 2025, optional notifications and treatment times will be abolished.

Visit the TrustArc blog next Wednesday, June 23, for Part II of the blog series, which covers specific information about consumer rights within Colorado privacy law.

Colorado Privacy Law-Blog Series (Part I) Colorado Privacy Law-Blog Series (Part I)

Back to top button