The Colorado Privacy Act (SB190) is a privacy law that was signed into law on July 8, 2021 to protect the privacy of residents of Colorado. The law achieves this goal by providing privacy rights to residents of Colorado, requiring certain websites to have a Privacy Policy and imposes heavy fines for failure to comply. This law will go into effect on July 1, 2023.
In this Compliance Guide, we will discuss the following as it relates to the Colorado Privacy Act:
- Who needs to comply with this law;
- How the Colorado Privacy Act defines personal data;
- The privacy rights provided by this law;
- Colorado Privacy Act Privacy Policy requirements;
- The penalties for failing to comply.
Who does the Colorado Privacy Act apply to?
As with other privacy laws, businesses do not need to be located in Colorado for this law to apply. The Colorado Privacy Act applies to controllers (persons that determine the purposes for and means of processing personal data) of personal data that:
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado; and
- Satisfies one of the following thresholds:
- Controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services form the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.
If you do not meet the thresholds above, it is important to note that the Act requires controllers to ensure that processors of personal data adhere to the requirements of the Act. Thus, if you are processing the data on behalf of a client that is subject to the Act, you may be required, via contract, to meet the obligations of this law even if it does not apply to you via statute.
How does the law define personal data?
The Colorado Privacy Act applies to controllers that collect and process personal data. In this case, personal data is defined as information that is linked or reasonably linkable to an identified or identifiable individual. Examples of personal data can include names, emails, phone numbers, and physical addresses, all of which are frequently collected by business websites via contact forms, email newsletter sign up forms, appointment setting forms and billing portals.
Colorado Privacy Act privacy rights
The Colorado Privacy Act protects the privacy of Colorado consumers by providing them with the following privacy rights:
- Right to opt out – consumers have the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data or profiling in furtherance of decisions that produce legal or similarly significant effects;
- Right of access – consumers have the right to confirm whether a controller is processing personal data concerning the consumer and to access their personal data;
- Right to correction – consumers have the right to correct inaccuracies in their personal data;
- Right to deletion – consumers have the right to delete their personal data;
- Right to data portability – when accessing their data, a consumer has a right to obtain that data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit that data to another business.
Colorado Privacy Act Privacy Policy requirements
If the Colorado Privacy Act applies to you, you will need to update your Privacy Policy to include the following information:
- The categories of personal data collected or processed;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with whom the personal data is shared; and
- If personal data is sold to third parties or processed for targeted advertising, then the Privacy Policy must disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.
If this law applies to you, it is important that you update your Privacy Policy prior to the effective date to avoid potential infringements and fines.
The penalties for failing to compy
Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60 day curing period but this period will be available only until January 1, 2025.
Termageddon will be making updates to client policies closer to the effective date to ensure that your Privacy Policy has all of the required disclosures. If you do not currently have a Privacy Policy or would like to have one that automatically updates whenever the laws change, check out the Termageddon Privacy Policy generator.
If you have questions or need assistance setting up your page, reach out! You can also check out part one of our series on privacy policies here.