Colorado Privacy Act - in a nutshell

Other than California, Colorado is (at this time of writing) the only other US state to have a robust set of privacy regulations that in several aspects is actually more detailed than the Californian laws. In this article, community contributor Odia Kagen gives a breakdown of the Colorado Privacy Act.

What it the Colorado Privacy Act?

The Colorado Privacy Act is a comprehensive data privacy law that protects the rights of Colorado residents regarding the processing of their personal information by companies that do business in Colorado. The law imposes obligations including:

• Providing a detailed privacy disclosure regarding how the information is processed.
• Providing individuals with the right to access / get a copy of the information; correct it; delete it (with exceptions); opt-out of uses of the information for profiling and targeted advertising.
• Restricting processing of sensitive information (like health, precise geolocation, children’s information) unless the processing is necessary for the purpose without the individual’s opt-in consent.
• Conducting a written risk assessment regarding processing sensitive information, children’s information or using information for profiling or targeted advertising.
• Entering into detailed agreements with third parties that handle personal information (outsourcing and data sharing).

To whom does it apply?

It applies to companies, whether they are located in the state or not, that do business in Colorado or deliver products or services targeted as Colorado residents, and whether they are for-profit corporations or not, process the personal information of residents of Colorado and hit a certain threshold of number of users or revenue. The personal information includes things like online identifiers, cookie information, precise geolocation, biometrics etc. and the number of users can be website users.

Why is this important?

The law went into effect in July 2023 and the Attorney General, Phil Weiser, has already started an enforcement sweep, sending letters to dozens of businesses. He has expressed that they are taking compliance with the law seriously but will take into consideration companies that can demonstrate making an effort on their compliance journey.

What are companies grappling with?

Following in the footsteps of their brethren that have grappled with the Colorado CPA’s “sister” laws, the EU GDPR and the California CPRA we have seen grapple with (and no, if you are GDPR compliant that doesn't mean you don't have Colorado compliance work to still do):

• Drafting privacy notices that are “human readable” and pass the “clear and conspicuous” test; designing websites to address the collection and sharing of information through cookies and pixels.
• Developing processes for timely, completely and accurately responding to consumer requests (access, correction, deletion, opt out etc.)
• Analyzing uses of sensitive information to determine when and whether consent is necessary and how to get Colorado consent (which is the same as the complex GDPR consent).
• Preparing and drafting data protection impact assessments (DPIA) – the unique risk assessment required by the Colorado law
• Drafting and negating the processor and third party agreements that are required with vendors.

‍