In this Compliance Guide, we will discuss the following as it relates to the Colorado Privacy Act:
- Who needs to comply with this law;
- How the Colorado Privacy Act defines personal data;
- The privacy rights provided by this law;
- The penalties for failing to comply.
Who does the Colorado Privacy Act apply to?
As with other privacy laws, businesses do not need to be located in Colorado for this law to apply. The Colorado Privacy Act applies to controllers (persons that determine the purposes for and means of processing personal data) of personal data that:
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado; and
- Satisfies one of the following thresholds:
- Controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services form the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.
If you do not meet the thresholds above, it is important to note that the Act requires controllers to ensure that processors of personal data adhere to the requirements of the Act. Thus, if you are processing the data on behalf of a client that is subject to the Act, you may be required, via contract, to meet the obligations of this law even if it does not apply to you via statute.
How does the law define personal data?
The Colorado Privacy Act applies to controllers that collect and process personal data. In this case, personal data is defined as information that is linked or reasonably linkable to an identified or identifiable individual. Examples of personal data can include names, emails, phone numbers, and physical addresses, all of which are frequently collected by business websites via contact forms, email newsletter sign up forms, appointment setting forms and billing portals.
Colorado Privacy Act privacy rights
The Colorado Privacy Act protects the privacy of Colorado consumers by providing them with the following privacy rights:
- Right to opt out – consumers have the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data or profiling in furtherance of decisions that produce legal or similarly significant effects;
- Right of access – consumers have the right to confirm whether a controller is processing personal data concerning the consumer and to access their personal data;
- Right to correction – consumers have the right to correct inaccuracies in their personal data;
- Right to deletion – consumers have the right to delete their personal data;
- Right to data portability – when accessing their data, a consumer has a right to obtain that data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit that data to another business.
- The categories of personal data collected or processed;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with whom the personal data is shared; and
The penalties for failing to compy
Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60 day curing period but this period will be available only until January 1, 2025.