The Colorado State Senate approved the “Colorado Privacy Act” on June 8, becoming only the third state after California and Virginia to have a comprehensive data privacy law. The Senate Bill/Act 190 has now been sent to Governor Jared Polis, whose signatures will seal the fate of this act, which would then come into effect on July 1, 2023, unless he uses his veto to stop its enforcement within 10 days of transmission.
The 5 Key Rights of the Colorado Privacy Act
The privacy act will not apply to all businesses operating in Colorado but only to the ones that:
- Store or process personal data of more than 100,000 consumers annually, or
- Sell personal data and process or control the personal data of 25,000 or more Colorado resident consumers.
Besides, the Colorado Privacy Act has been drafted in a manner that grants the residents of the state five key rights:
- Right to opt-out of the sale of their personal data.
- Deny processing of personal data for targeted advertising purposes.
- Opt-out of automated profiling that produces legal or similarly significant effects.
- Right to access and correct their personal data for any inaccuracies held by the data controller.
- Right to get their data in a portable and ready-to-use format and the privilege to erase this personal data from the data controller’s database whenever they wish to.
Apart from this, the data controllers have been asked to limit their data collection only to essential information that is required to render their services and not collect it indiscriminately. Additionally, the act makes it mandatory to keep the collected data secured at all points of time to prevent unauthorized or malicious access.
The Colorado Privacy Act has also taken into consideration the inclusivity and has asked data controllers to refrain from collecting and processing sensitized information like data on ethnic background, religious beliefs, mental or physical health, sexual orientation, citizenship, genetic/biometric data, and the personal data of minors, unless the consumers opt-in or provide consent for it.
Although this Privacy Act is similar to the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), it has some implications which are different from them and thus would be a challenge for businesses to comply with. So, we have to wait and watch what happens.