The Centennial State has unanimously passed a new data privacy act to safeguard Coloradoans’ personal information.
On June 8, the state Senate approved the Colorado Privacy Act after a series of revisions were made. The Act is due to take effect on July 1, 2023, and now awaits the signature of state governor Jared Polis.
Should the Act become law, Colorado will follow California and Virginia by enacting comprehensive privacy legislation.
The Act gives consumers who reside in Colorado five key rights over their personal data. Firstly, they have the right to opt out of the sale of their personal data, the processing of personal data for targeted advertising purposes, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.
They also have the right to access their personal data held by a data controller and the right to make corrections to their personal data if inaccuracies are identified.
Finally, they have the right to be provided with their data in a portable and ready to use format, and the right to have their personal data erased.
The new Act will apply to all data controllers operating businesses in Colorado that process or control the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.
Under the new law, entities will have specific responsibilities pertaining to how they collect and process data. Consumers must be informed about why their personal data is being collected and must be notified if their data is sold or used for targeted advertising.
Data controllers must limit their data collection, only gathering the information they need to serve their stated purpose. And the data they collect must be secured to prevent unauthorized access.
Sensitive information, such as data on ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors, cannot be collected and processed unless consumers provide their consent through an opt-in process.