Colorado Joins a Growing List of States Proposing Privacy Legislation

On March 26, 2021, Colorado legislature introduced SB 21-190, Colorado Privacy Act.  The bill addresses consumers’ rights to privacy, companies’ responsibility to protect personal data, and authorizes the Attorney General and district attorneys to take enforcement action for violations.

The Act would apply to controllers that conduct business in Colorado or produce products or services that are intentionally targeted to residents of Colorado and that either (1) control or processes the personal data of 100,000 or more consumers per year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Under the Colorado Privacy Act, consumers would be able to exercise the following rights by submitting a request to a controller:  (1) right to opt out of the processing of the consumer’s personal data; (2) right of access to confirm that the controller is processing the consumer’s personal data; (3) right to correct inaccurate personal data collected from the consumer; (4) right to delete a consumer’s personal data; and (5) right to data portability.

Colorado controllers will have the following duties under the Act:

• Transparency – controllers would be required to provide consumers with comprehensive privacy notices;

• Purpose specification – controllers would have to specify the express purposes for which personal data are collected and processed;

• Data minimization – controllers would have to limit the collection of data to the amount necessary for the express purposes for which the data is processed;

• Avoidance of secondary use – controllers would not be able to process personal data for purposes that are not compatible with the express purposes for which the data is collected;

• Duty of care – controllers would have to take reasonable measures to secure personal data;

• No unlawful discrimination – controllers would not be able to process personal data in violation of antidiscrimination laws; and

• Sensitive data – controllers would be able to process sensitive data only with consumer’s consent.

The Attorney General and district attorneys will have exclusive authority to enforce the bill. A controller or processor that violates the provisions of the bill would be subject to a civil penalty and may be enjoined from further violations.

If enacted, the Act would take effect on January 1, 2023.

Take a tour of Clarip’s patented data privacy technology and learn how Clarip can help your enterprise comply with emerging state level data subject rights regulations. Call Clarip today at 1-888-252-5653 or schedule a Demo Online!