April 2024

1. Right To Privacy / Constitutional Protection

The Colorado's Constitution explicitly provides the right to privacy under §7 of Article II which states 'The people shall be secure in their persons, papers, homes, and effects from unreasonable searches and seizures; and no warrant to search any place or seize any person or things shall issue without describing the place to be searched, or the person or thing to be seized, as near as may be, nor without probable cause, supported by oath or affirmation reduced to writing' (Colo. Const. Art. II, §7).

2. Key Privacy Laws

2.1 Colorado Privacy Act

On July 7, 2021, Colorado became the third state in the US (after California and Virginia) to enact a comprehensive data privacy law, the Colorado Privacy Act (CPA). The CPA took effect on July 1, 2023. As described in more detail below, the CPA affords Colorado residents certain rights with respect to their personal data including access, correction, deletion, portability, and opt-out rights. It also imposes affirmative obligations on companies such as transparency, purpose specification, data minimization, and data security, among others.

On March 15, 2023, the Colorado Attorney General (AG) announced the finalization of the Colorado Privacy Act Rules (the CPA Rules), which entered into effect on July 1, 2023. The CPA Rules expand privacy requirements under the CPA and address topics, such as consumer personal data rights, universal opt-out mechanisms, controller duties (with a particular focus on privacy notices and loyalty programs), consumer consent (focusing especially on dark patterns), data protection assessments, and controller use of profiling.

Key Definitions

The following are some key definitions:

• 'Consumer' means an individual who is a Colorado resident acting only in an individual or household context. It does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context (§6-1-1303(6) of the Colorado Revised Statutes (C.R.S.)).
• 'Controller' means a person that, alone or jointly with others, determines the purposes for and means of processing personal data (C.R.S. §6-1-1303(7)).
• 'De-Identified Data' means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data complies with the requirements of the CPA (C.R.S. §6-1-1303(11)).
• 'Personal data' means information that is linked or reasonably linkable to an identified or identifiable individual (C.R.S. §6-1-1303(17)). 'Personal data' does not include 'de-identified data' or 'publicly available information.' 'Identified or identifiable individual' means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as:
  • a name;
  • an identification number;
  • specific geolocation data; and
  • an online identifier (C.R.S. §6-1-1303(16)).
• 'Processor' means a person that processes personal data on behalf of a controller (C.R.S. §6-1-1303(19)).
• 'Profiling' means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (C.R.S. §6-1-1303(20)).
• 'Publicly available information' means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public (C.R.S. §6-1-1303(17)).
• 'Sale' means the exchange of personal data for monetary or other valuable consideration by a controller to a third party (C.R.S. §6-1-1303(23)). 'Sale' does not include:
  • the disclosure of personal data to a processor for processing on behalf of the controller;
  • the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate of the controller;
  • the disclosure or transfer to a third party of personal data as an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets;
  • the disclosure of personal data that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; and
  • the disclosure of personal data intentionally made available by a consumer to the public via a channel of mass media (C.R.S. §6-1-1303(23)).
• 'Sensitive data' means:
  • personal data revealing:
    • racial or ethnic origin;
    • religious beliefs;
    • a mental or physical health condition or diagnosis;
    • sex life or sexual orientation; or
    • citizenship or citizenship status;
  • genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
  • personal data from a known child (C.R.S. §6-1-1303(24)).

Applicability

The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and satisfy one or both of the following thresholds:

• control or process the personal data of 100,000 consumers or more during a calendar year; or
• derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more (C.R.S. §6-1-1304(1)).

The CPA provides certain exemptions that apply to certain specified entities (i.e., entity-level exemptions), as well as a number of exemptions that are specific to certain information or processing activities (i.e., information-level exemptions).

Entity-Level Exemptions

The CPA does not apply to:

• an air carrier, as defined in and regulated under 49 U.S.C. §§40101 et seq., as amended, and 49 U.S.C. §41713, as amended;
• a national securities association registered pursuant to the federal Securities Exchange Act of 1934, 15 U.S.C. §78o-3, as amended, or implementing regulations; and
• a financial institution or an affiliate of a financial institution as defined by and subject to the federal Gramm-Leach-Bliley Act of 1999 ('GLBA'), 15 U.S.C. §§6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR Part 1016 (C.R.S. §§6-1-1304(2)(l)–(m), (q)).

Notably, the CPA does not provide an exemption for non-profit organizations.

Information-Level Exemptions

The CPA does not apply to certain types of information, including:

• protected health information that is collected, stored, and processed by a covered entity or its business associates;
• healthcare information that is governed by Part 8 of Article 1 of Title 25 of the Colo. Rev. Stat. solely for the purpose of access to medical records;
• patient identifying information, as defined in §2.11 of 42 CFR, that is governed by and collected and processed pursuant to 42 CFR Part 2, established pursuant to 42 U.S.C. sec. 290dd-2;
• identifiable private information, as defined in §46.102 of 45 CFR, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR Part 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR Part 50 and 21 CFR Part 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);
• information and documents created by a covered entity for purposes of complying with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA')and its implementing regulations;
• patient safety work product, as defined in §3.20 of 42 CFR, that is created for purposes of patient safety improvement pursuant to 42 CFR Part 3, established pursuant to 42 U.S.C. §§299b-21 to 299b-26;
• information that is:
  • de-identified in accordance with the requirements for de-identification set forth in 45 CFR Part 164; and
  • derived from any of the health-care-related information described in this section;
• information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:
  • a covered entity or business associate;
  • a health-care facility or health-care provider; or
  • a program of a qualified service organization as defined in §2.11 of 42 CFR (C.R.S. §§6-1-1304(2)(a)–(h)).

The CPA also exempts information protected by statute or regulations, including:

• the Fair Credit Reporting Act of 1970, 15 U.S.C. §§1681 et seq.;
• the Colorado Health Benefit Exchange Act;
• the GLBA;
• the Driver's Privacy Protection Act of 1994;
• the Children's Online Privacy Protection Act of 1998 (COPPA);
• the Family Educational Rights and Privacy Act of 1974 (C.R.S. §§6-1-1304(2)(i)–(j)).

Additionally, the CPA exempts:

• data maintained for employment records purposes;
• customer data maintained by a public utility;
• data maintained by a state institution of higher education, as defined in Colo. Rev. Stat. §23-18-102(1);
• the state; the judicial department of the state; or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes; and
• information used and disclosed in compliance with §512 of 45 CFR Part 164 (C.R.S. §§6-1-1304(2)(k), (n)–(p)).

Consumer Rights

Similar to other comprehensive data privacy laws, the CPA provides consumers with certain rights regarding their personal data. The CPA provides the following consumer rights:

• Right of access: Consumers have the right to confirm whether a controller is processing their personal data and to access such personal data (C.R.S. §6-1-1306(1)(b)).
• Right to correction: Consumers have the right to correct inaccuracies in their personal data (C.R.S. §6-1-1306(1)(c)).
• Right to deletion: Consumers have the right to delete personal data concerning them (C.R.S. §6-1-1306(1)(d)).
• Right to data portability: Consumers have the right to obtain personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance (C.R.S.§6-1-1306(1)(e)).
• Right to opt-out: Consumers have the right to opt out of the processing of personal data for purposes of:
  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer (C.R.S. §6-1-1306(1)(a)).

Authentication and Responding to Consumer Requests

The CPA Rules require controllers to 'use a commercially reasonable method for authenticating the identity of every consumer submitting any data right request' (Rule 4.08(A)). The CPA Rules specify that if a controller cannot authenticate the consumer submitting a request, the controller is not required to comply with the consumer's requests, but the controller must inform the consumer that their identity could not be authenticated (Rule 4.08(F)).

The CPA requires controllers to respond to consumer rights requests without undue delay and within 45 days. Controllers may extend the response period by up to 45 more days if reasonably necessary considering the complexity and number of requests. The controller must tell the consumer about any extension and its reason within the initial 45-day period (C.R.S. §6-1-1306(2)(a)).

The CPA also requires controllers to establish a process for consumers to appeal a denial of their request, and communicate that they can contact the AG if they have concerns about the denial of the request. The appeal process must be 'conspicuously available and as easy to use as the process for submitting a request' (C.R.S. §6-1-1306(3)(a)).

Under the CPA Rules, a controller is required to maintain records of all consumer data rights requests or at least 24 months (Rule 6.11(A)). The records must include, at a minimum:

• the date of request;
• the consumer data rights request type;
• the date of the controller's response;
• the nature of the controller's response;
• the basis for the denial of the request if the request is denied in whole or in part; and
• the existence and resolution of any consumer appeal to a denied request.

Key Controller Responsibilities

Under the CPA, controllers have the following duties:

• Transparency. Controllers must provide consumers with a 'reasonably accessible, clear, and meaningful' privacy notice that includes certain specified content (C.R.S. §6-1-1308(1)(a)).
• Purpose specification and limitation. Controllers must specify the express purposes for which personal data are collected and processed (C.R.S. §6-1-1308(2); CCR 904-3, Rule 6.06). Moreover, a controller must not process personal data for purposes that are not 'reasonably necessary to or compatible with the specified purpose' unless the controller first obtains consent from the consumer (C.R.S. §6-1-1308(4); Rule 6.08 of the CPA Rules).
• Data minimization. Controllers must limit the collection of personal data to that which is relevant and reasonably necessary in relation to the specified purpose (C.R.S. §6-1-1308(3); Rule 6.07 of the CPA Rules).
• Data Security. Controllers must take reasonable measures to secure data during storage and use. Such data security measures must be 'appropriate to the volume, scope, and nature of the personal data processed' (C.R.S. §6-1-1308(5); Rule 6.09 of the CPA Rules).
• Non-discrimination. Controllers are prohibited from processing personal data 'in violation of state or federal laws that prohibit unlawful discrimination against consumers' (C.R.S. §6-1-1308(6)).
• Consent to process sensitive data. Controllers are prohibited from processing sensitive data without first obtaining consent. In the case of a known child, consent from the child's parent or lawful guardian is required (C.R.S. §6-1-1308(7); Rule 6.10 of the CPA Rules).
• Data protection assessments. Controllers must conduct a data protection assessment when processing personal data that presents a 'heightened risk of harm' to a consumer (C.R.S. §§6-1-1309(1)-(2)).

Privacy Notices

The CPA requires that a controller's privacy notice must include:

• the categories of personal data collected or processed;
• the purposes for which the categories of personal data are processed;
• the categories of personal data that the controller shares with third parties, if any;
• the categories of third parties with which the controller shares personal data, if any;
• clear and conspicuous disclosure of the sale or processing of personal data if the controller sells it to third parties or processes it for targeted advertising, as well as how consumers can exercise their right to opt out of sale or processing;
• how and where consumers can exercise their rights under the CPA, including contact information for the controller and information about appealing a controller's action with regards to consumer requests (C.R.S. §6-1-1308(1)(a), (b); Rule 6.03 of the CPA Rules).

The CPA Rules require controllers to notify consumers of material changes to a privacy notice (Rule 6.04(A). Material changes may include, but are not limited to, changes to:

• categories of personal data processed;
• processing purposes;
• a controller's identity;
• the act of sharing personal data with third parties;
• categories of third parties' personal data is shared with; or
• methods by which consumers can exercise their data rights request (CCR 904-3, Rule 6.04(A)(1).

Consent

Under the CPA, there are some specific scenarios whereby controllers must obtain consent from the consumer, including prior to:

• processing a consumer's sensitive data;
• processing personal data concerning a known child, in which case the child's parent or lawful guardian must provide consent;
• selling a consumer's personal data, processing a consumer's personal data for targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer after the consumer has exercised the right to opt out of the processing for those purposes; and
• processing personal data for purposes that are not reasonably necessary to, or compatible with, the originally specified purposes for which the personal data are processed (Rule 7.02(A))

The CPA defines valid consent as 'a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action' (C.R.S. §6-1-1303(5)). The CPA and the CPA Rules specify that any agreement obtained through dark patterns is not valid consent (C.R.S. §6-1-1303(5)(c); Rule 7.03(F)). A 'dark pattern' is defined as 'a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice' (C.R.S. §6-1-1303(9)).

The CPA Rules include a section addressing user consent, and in particular devote an entire section to the concept of dark patterns, providing a series of nine principles that controllers should 'consider[] when designing a user interface or a choice architecture used to obtain consent,' including:

• providing symmetry in choice options;
• avoiding emotionally manipulative language or visuals;
• not treating silence or failure to take affirmative action as consent;
• not using preselected or default options;
• using a similar number of steps for either choice option;
• not unnecessarily interrupting or intruding upon a consumer's expected interaction with a website;
• avoiding misleading statements, omissions, affirmative misstatements, or intentionally confusing language;
• considering the unique characteristics of the target audience  and
• making sure consent choice architecture operates in a similar manner when accessed through digital accessibility tools (rule 7).

Data Protection Assessments

The CPA requires controllers to conduct data protection assessments before conducting processing activities that present a heightened risk of consumer harm, such as for:

• targeted advertising;
• selling personal data;
• processing sensitive data;
• profiling that presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial or physical injury to consumers;
  • a physical or other intrusion on consumers' solitude, seclusion, private affairs, or private concerns, if it would offend a reasonable person; or
  • other substantial consumer injury (C.R.S. §6-1-1309(6)).

The CPA Rules provide additional guidance regarding scope, stakeholder involvement, content, and timing for data protection assessments (Rule 8). The CPA Rules also outline the specific requirements for conducting data protection assessments for profiling (Rule 9.06) A controller is required to make data protection assessments available to the AG upon request (C.R.S. §6-1-1309(4)). The obligation to conduct data protection assessments is not retroactive and only applies to processing activities created or generated after July 1, 2023 (C.R.S. §6-1-1309(6)).

Universal Opt-Out Mechanisms

The CPA requires that beginning on July 1, 2024, controllers allow consumers to exercise their rights to opt out of the processing of their personal data for purposes of targeted advertising or sale through a universal opt-out mechanism (C.R.S. §6-1-1306(a)(IV)(A)). The CPA Rules detail the technical specifications for these universal opt-out mechanisms and explain how the Colorado Department of Law will maintain a public list of opt-out mechanisms that satisfy those specifications, available here (Rule 5).

Processor Obligations

The CPA requires processors to adhere to the instructions of the controller and assist the controller in meeting the controller's obligations under the CPA, including:

• fulfilling the controller's obligation to respond to consumer requests to exercise their rights under the CPRA;
• helping to meet the controller's obligations in relation to the security of processing the personal data and the notification of a breach of security; and
• providing information to the controller necessary to enable the controller to conduct and document any data protection assessments (C.R.S. §6-1-1305(2)).

The CPA also requires a binding contract between controllers and processors that governs the processing of personal data by the processor. The contract must include provisions that:

• provide processing instructions and describe:
  • the nature and purpose of the processing;
  • the type of personal data processed; and
  • the duration of processing.
• describe the processor's data protection obligations, including to:
  • establish the duty of confidentiality;
  • follow the law's restrictions on using subcontractors; and
  • provide appropriate security measures.
• require the processor to:
  • return or destroy all personal data when the services end, at the controller's option, unless the law requires retention;
  • make available all information necessary to demonstrate its compliance with the CPA and the contract; and
  • allow the controller to conduct reasonable audits and inspections or, with the controller's consent, arrange for an annual independent audit of the processor's data protection policies and support measures (C.R.S. §6-1-1305(5)).

Enforcement

The AG and district attorneys have exclusive authority to enforce the CPA by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce the CPA, including seeking an injunction to enjoin a violation of the CPA (C.R.S. §6-1-1311 (1)(a)).

The CPA specifically says that it does not provide a private right of action for violations of the CPA or any other law (C.R.S. §6-1-1311 (1)(b)).

Before any enforcement action, the AG or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller does not cure the violation within 60 days of receiving the notice of violation, the AG or district attorney may bring an action. The notice and 60-day cure period sunset on January 1, 2025 (C.R.S. §6-1-1311 (1)(d)).

Regulations

The CPA authorizes the AG to engage in rulemaking for the purposes of carrying out the law (C.R.S. §6-1-1313). The CPA sets out two deadlines for the AG to adopt certain final rules:

• by July 1, 2023, the AG must adopt rules detailing technical specifications for universal opt-out mechanisms that meet specific requirements (C.R.S. §6-1-1313(2)); and
• by July 1, 2025, the AG must adopt rules:
  • governing its process for issuing opinion letters; and
  • providing interpretive guidance that gives businesses operational frameworks for meeting the CPA's requirements, including good faith safe harbors (C.R.S. §6-1-1313(3)).

2.2 Colorado Consumer Protection Act

The Colorado Consumer Protection Act, Colo. Rev. Stat. §§6-1-101 to 6-1-1214, contains a number of key privacy protections.

Scope of Application

The Colorado Consumer Protection Act regulates any 'covered entity' in Colorado that, during the course of business, maintains paper or electronic documents that contain 'personal identifying information' (Colo. Rev. Stat. §6-1-713 (1)).

Key Definitions

• Covered entity means a person, as defined in Colo. Rev. Stat. §6-1-102(6), that maintains, owns, or licenses personal identifying information in the course of the person's business, vocation, or occupation. A covered entity does not include a person acting as a third-party service provider as defined in Colo. Rev. Stat. §6-1-713.5(5).
• Personal identifying information includes:
  • social security numbers;
  • personal identification numbers (PINs);
  • passwords;
  • passcodes;
  • official state or government-issued driver's license or identification card numbers;
  • government passport number;
  • biometric data;
  • employer, student, or military identification numbers; and
  • financial transaction devices (Colo. Rev. Stat. §6-1-713(2)(b).).

Privacy Protections

Confidentiality of social security numbers

Under Colo. Rev. Stat. §6-1-715, a person or entity is prohibited from doing any of the following:

• publicly post or publicly display in any manner, which means to intentionally communicate or otherwise make available to the general public, an individual's social security number;
• print an individual's social security number on any card required for the individual to access products or services provided by the person or entity;
• require an individual to transmit their social security number over the internet, unless the connection is secure or the social security number is encrypted;
• require an individual to use their social security number to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website; and
• print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires, permits, or authorizes the social security number to be on the document to be mailed (Colo. Rev. Stat. §6-1-715 (1)(a)-(e)).

Protection of Personal Identifying Information

As discussed in further detail in the section below on data disposal/cybersecurity/data security, the Colorado Consumer Protection Act contains three primary data security laws that require companies to:

• protect personally identifiable information;
• promptly notify Colorado residents when their information is at risk of being misused by unauthorized third parties; and
• dispose of personally identifiable information when it is no longer needed.

2.3 Wiretapping and Surveillance Statutes

Colorado has several statutes that address wiretapping and eavesdropping, including:

• Wiretapping and Eavesdropping, Colo. Rev. Stat. §§16-15-101 through 16-15-104
• Invasion of Privacy for Sexual Gratification, Colo. Rev. Stat. §18-3-405.6
• Criminal Invasion of Privacy, Colo. Rev. Stat. §18-7-801
• Offenses Involving Communications, Colo. Rev. Stat. §§§18-9-301 through 18-9-310

3. Health Data

Colorado does not have a single uniform law that governs health data. Instead, Colorado has several statutes that address medical record confidentiality and health information in a variety of contexts. For example:

• Colo. Rev. Stat. §10-16-1003 requires healthcare cooperatives to maintain the privacy of individually identifiable health information. The statute also specifies the circumstances in which such information may be disclosed (e.g., with the individual's authorization, for law enforcement purposes, for bona fide research projects, etc.).
• Colo. Rev. Stat. §10-3-1104.6 provides that genetic information is confidential and that any release, for purposes other than diagnosis, treatment, or therapy, of genetic information that identifies the person tested with the test results released requires specific written consent by the person about whom the genetic information pertains or the parent or guardian of that person (Colo. Rev. Stat. §10-3-1104.6(3)(a)). The statute also prohibits any entity that receives genetic information from seeking, using, or keeping the information for any nontherapeutic purpose or for any underwriting purpose connected with the provision of health-care insurance or Medicare supplement insurance coverage (Colo. Rev. Stat. §10-3-1104.6(3)(b)).
• Colo. Rev. Stat. §25-32-106 requires health care providers to disclose a patient's medical information if a poison control service provider needs the information to respond to a medical emergency. Requires poison control service providers to maintain the confidentiality of any information they receive.

4. Financial Data 

Colorado does not have a specific privacy law applicable to financial data.

5. Employment Data

5.1 Personnel File Access for Employees

Colo. Rev. Stat. §8-2-129 governs employee access to personnel files in Colorado.

Employers are required, at least annually, upon the request of an employee, to permit that employee to inspect and obtain a copy of any part of their own personnel file (Colo. Rev. Stat. §8-2-129(1)).

Key Definitions

• 'Personnel file' means the personnel records of an employee, in the manner maintained by the employer and using reasonable efforts by the employer to collect, that are used or have been used to determine the employee's qualifications for employment, promotion, additional compensation, or employment termination or other disciplinary action (Colo. Rev. Stat. §8-2-129(2)(c)).

'Personnel file' does not include:

• documents or records required to be placed or maintained in a separate file from the regular personnel file by federal or state law or rule;
• documents or records pertaining to confidential reports from previous employers of the employee;
• an active criminal investigation, an active disciplinary investigation by the employer, or an active investigation by a regulatory agency; or
• any information in a document or record that identifies any person who made a confidential accusation, as determined by the employer, against the employee who makes a request (Colo. Rev. Stat. §8-2-129(2)(c)).
• 'Employer' does not include any entity subject to the 'Colorado Open Records Act', part 2 of article 72 of title 24, Colo. Rev. Stat. (Colo. Rev. Stat. §8-2-129(2)(b)).

Scope of Application

The statute does not apply to financial institutions chartered and supervised under state or federal law, including without limitation:

• a bank;
• a trust company;
• a savings institution; and
• a credit union (Colo. Rev. Stat. §8-2-129(4)(a)-(d)).

Enforcement and Penalties

The statute does not create or authorize a private cause of action by a person aggrieved by a violation of the statute (Colo. Rev. Stat. §8-2-129(3)(a)).

5.2 Social Media Privacy

An employer is prohibited from suggesting, requesting, or requiring an employee or applicant to disclose any username, password, or other means for accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device (Colo. Rev. Stat. §8-2-127(2)(a)).

An employer shall not compel an employee or applicant to add anyone, including the employer or their agent, to the employee's or applicant's list of contacts associated with a social media account, or require, request, suggest, or cause an employee or applicant to change privacy settings associated with a social networking account.

6. Online Privacy

6.1 Children's data

Colorado has not enacted specific legislation governing the protection of children's privacy, and therefore the provisions of COPPA apply.

6.2 Tracking technologies e.g. cookies and other identifiers

See the section above on the CPA, which governs 'targeted advertising.'

7. Unsolicited Commercial Communications

7.1 Colorado Anti-Spam Laws

Colorado's Spam Reduction Act (Colo. Rev. Stat. §6-1-702.5) makes it a deceptive trade practice to send certain spam emails.

Colorado has also made it a deceptive trade practice to send unsolicited advertisements via fax machines (Colo. Rev. Stat. §6-1-702).

7.2 Telemarketing

Part 3 of the Colorado Consumer Protection Act, on prevention of Telemarketing Fraud (Colo. Rev. Stat. §§6-1-301 to 6-1-305) requires a 'commercial telephone seller' to register with the Colorado Attorney General at least ten days prior to conducting business in Colorado. (Colo. Rev. Stat. §6-1-302(1)). The law also places legal limits on telemarketing practices. A 'commercial telephone seller' or 'seller' is defined as a person who, in the course of such person's business, vocation, or occupation, on the person's own behalf or on behalf of another person, causes or attempts to cause a commercial telephone solicitation to be made. (Colo. Rev. Stat. §6-1-302(1)). A 'Commercial telephone solicitation' includes:

• unsolicited telephone calls to a person initiated by a commercial telephone seller or salesperson, or an automated dialing machine with or without a recorded message device, for the purpose of inducing the person to purchase or invest in goods, services, or property or offering an extension of credit;
• any other communication by a commercial telephone seller in which:
  • a gift, award, or prize is offered and a telephone call response from the intended purchaser is invited
  • a loan, credit card, or other extensions of credit is offered to a purchaser who has not previously purchased from the person initiating the communication, and a telephone call response from the intended purchaser is invited; and
  • a sale is to be completed or an agreement to purchase is to be entered into during the course of the telephone call response;
• any other communication by a commercial telephone seller which includes representations about the price, quality, or availability of goods, services, or property, and which invites a response by telephone, including pay-per-call service calls, or which is followed by a telephone call to the intended purchaser by a salesperson (Colo. Rev. Stat. §6-1-302(2)(a)-(c)).

Colorado implemented a 'Do Not Call' Registry system in 2001 through the Colorado No-Call List Act (Colo. Rev. Stat. §§6-1-901 through 6-1-908), which enables consumers to protect themselves against unwanted telephone calls to residential or personal wireless telephone numbers. The Act provides that no person or entity shall make or cause to be made any telephone solicitation to the telephone of any residential subscriber or wireless telephone service subscriber in Colorado who has added their telephone number and zip code to the Colorado no-call list in accordance with rules promulgated under Colo. Rev. Stat. §6-1-905 (Colo. Rev. Stat. §6-1-904(1)(a)).

The Colorado Charitable Solicitations Act of 1988 (Colo. Rev. Stat. §§6-16-101 - 6-16-114) places legal limits on telephonic solicitations by charitable organizations.

Colorado has defined 'deceptive trade practices' prohibited by the Colorado Consumer Protection Act to include violations of the prohibitions against spam emails and faxes (Colo. Rev. Stat. §6-1-105(1)(cc)) and unlawful telemarketing (Colo. Rev. Stat §6-1-105(1)(ww)).

Colo. Rev. Stat. §18-9-311 provides that no person shall utilize an automated dialing system with a prerecorded message for the purpose of soliciting another person to purchase goods or services, whether such solicitation occurs or is intended to occur during the pre-recorded message or during some further communication initiated by or resulting from the prerecorded message unless there is an existing business relationship between such persons and the person being called then consents to hear the prerecorded message.

8. Privacy Policies

See the section above regarding the CPA, which requires controllers to provide reasonably accessible, clear, and meaningful privacy notices that include certain specified content.

Under §6-1-1308 of the CPA, controllers must provide consumers with a clear and meaningful privacy notice. The notice must be reasonably accessible and include the following:

• the categories of personal data collected or processed;
• the purposes for which the personal data is processed;
• a description of the consumer rights and how a consumer can exercise them;
• the categories of personal data that are shared with third parties; and
• the categories of third parties with whom the personal data is shared.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing (Colo. Rev. Stat. 6-1-1308(1)(b)).

9. Data Disposal/Cybersecurity/Data Security

See the section above regarding the CPA, which requires controllers to take reasonable measures to secure data during storage and use (Colo. Rev. Stat. §6-1-1308(5)).

In addition, the Colorado Consumer Protection Act contains three of Colorado's primary data security laws. In addition to the requirement to promptly notify Colorado residents when their information is at risk of being misused by unauthorized third parties, Colorado's data security laws require companies to take reasonable steps to protect personally identifiable information, and to dispose of it when it is no longer needed.

9.1 Data Security

The Colorado Consumer Protection Act requires 'covered entities' to implement and maintain reasonable security procedures to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction (Colo. Rev. Stat. §6-1-713.5(1)).

The law also requires covered entities to limit third-party disclosures of personal identifying information when engaging third parties to maintain, store, or process personal identifying information by ensuring third parties maintain technical controls designed to:

• protect the information from unauthorized access, use, modification, disclosure, or destruction; or
• eliminate the third party's access to the information despite the information being in its possession (Colo. Rev. Stat. §6-1-713.5(2)).

Key Definitions

• 'Covered entity' means a person, as defined in Colo. Rev. Stat. §6-1-102(6), that maintains, owns, or licenses personal identifying information in the course of the person's business, vocation, or occupation. 'Covered entity' does not include a person acting as a third-party service provider as defined in Colo. Rev. Stat. §6-1-713.5 (Colo. Rev. Stat. §6-1-713(2)(a)).
• 'Person' means an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity (Colo. Rev. Stat. §6-1-102(6)).
• 'Third-party service provider' means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity (Colo. Rev. Stat. §6-1-713.5(5)).
• 'Personal identifying information' means:
  • a social security number;
  • a personal identification number;
  • a password;
  • a passcode;
  • an official state or government-issued driver's license or identification card number;
  • a government passport number;
  • biometric data, as defined in section Colo. Rev. Stat. §6-1-716(1)(a);
  • an employer, student, or military identification number; or
  • a financial transaction device, as defined in Colo. Rev. Stat. §18-5-701(3) (Colo. Rev. Stat. §6-1-713(2)(a)).
• 'Biometric data' means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when they access an online account (Colo. Rev. Stat. §6-1-716(1)(a)).
• 'Financial transaction device' means any instrument or device whether known as a credit card, banking card, debit card, electronic fund transfer card, or guaranteed check card, or account number representing a financial account or affecting the financial interest, standing, or obligation of or to the account holder, that can be used to obtain cash, goods, property, or services or to make financial payments, but shall not include a 'check', a 'negotiable order of withdrawal', and a 'share draft' as defined in section 18-5-205 (Colo. Rev. Stat. §18-5-701(3)).

Enforcement

The AG may bring an action in law or equity to address violations of Colo. Rev. Stat. §6-1-713 (Colo. Rev. Stat. §6-1-716 (4)). There is no private right of action available under the Colorado Consumer Protection Act.

9.2 Data Disposal

The Colorado Consumer Protection Act requires certain persons and entities that maintain personal identifying information (PII) in paper or electronic form to establish written policies governing the disposal of PII. The written policy must require that when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain PII by shredding, erasing, or otherwise modifying the PII to make the PII unreadable or indecipherable through any means (Colo. Rev. Stat. §6-1-713(1)).

Scope of Application

Colorado's data disposal law applies to covered entities in Colorado that maintain paper or electronic documents during the course of business that contain personal identifying information (Colo. Rev. Stat. §6-1-713(1)).

9.3 Security Breach Notification

Like every state in the US, Colorado has enacted a security breach notification law, under §6-1-716 of the Colorado Consumer Protection Act (the 'Breach Notification Law').

Colorado has a similar statute governing data breach notification for governmental entities. Colorado's data breach notification statute governing governmental entities is codified at Colo. Rev. Stat §24-73-103.

Scope of Application

Colorado's Breach Notification Law applies to covered entities that maintain, own, or license computerized data that includes personal information about a resident of Colorado (Colo. Rev. Stat. §6-1-716(2)).

Key Definitions

• 'Covered entity' means a person, as defined in Colo. Rev. Stat. §6-1-102(6), that maintains, owns, or licenses personal information in the course of the person's business, vocation, or occupation. 'Covered entity' does not include a person acting as a third-party service provider as defined in subsection (1)(i) of this section (Colo. Rev. Stat. §6-1-716(1)(b)).
• 'Person' means an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity (Colo. Rev. Stat. §6-1-102(6)).
• 'Third-party service provider' means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity (Colo. Rev. Stat. §6-1-713.5(5)).
• 'Personal information' is defined as a Colorado resident's;
  • first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
    • social security number;
    • student, military, or passport identification number;
    • driver's license number or identification card number;
    • medical information;
    • health insurance identification number; or
    • biometric data;
  • username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or
  • account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account (Colo. Rev. Stat. §6-1-716(1)(g)(I)).

'Personal information' does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media (Colo. Rev. Stat. §6-1-716(1)(g)(II)).

• 'Biometric data' means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when they access an online account. (Colo. Rev. Stat. §6-1-716(1)(a)).
• 'Security breach' is defined as 'the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity' (Colo. Rev. Stat. §6-1-716(1)(h)). 'Security breach' does not include good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity's business purposes, if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure (Colo. Rev. Stat. §6-1-716(1)(h)).

Obligations

Under Colorado's Breach Notification Law, a covered entity subject to compliance with the law must do the following when it becomes aware of a security breach:

• conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused; and
• give notice to the affected Colorado residents as soon as possible, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur (Colo. Rev. Stat. §6-1-716(2)(a)).

Notice must be given to affected Colorado residents by any of the following methods:

• written notice to the postal address listed in the records of the covered entity;
• telephonic notice;
• electronic notice, provided that electronic notice is a primary means of communication by the covered entity with the Colorado residents or electronic notice is given in accordance with the provisions regarding electronic records and signatures set forth in Electronic Signatures in Global and National Commerce Act, 15 USCS §7001; or
• substitute Notice (Colo. Rev. Stat. §6-1-716(1)(f).

If the security breach is reasonably believed to have affected 500 Colorado residents or more, the covered entity is also required to notify the Colorado attorney general no later than 30 days after the date of determination that a security breach occurred, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur (Colo. Rev. Stat. §6-1-716(2)(f)).

If a covered entity is required to notify more than 1,000 Colorado residents of a security breach, the covered entity is also required to notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by the federal 'Fair Credit Reporting Act', 15 U.S.C. sec. 1681a(p), of the anticipated date of the notification to the residents, and the approximate number of residents who are to be notified (Colo. Rev. Stat. §6-1-716 (2)(d)). This provision does not apply to covered entities who are subject to Title V of the federal 'Gramm-Leach-Bliley Act', 15 U.S.C. sec. 6801 et seq. (Colo. Rev. Stat. §6-1-716 (2)(d)).

Enforcement

Under Colorado's Breach Notification Law, the AG may bring an action in law or equity to address violations of the statute and for other appropriate relief to ensure compliance with the statute and/or recover direct economic damages resulting from a violation of the statute (Colo. Rev. Stat. §6-1-716 (4)). In addition, upon receipt of a notice pursuant to Colo. Rev. Stat. §6-1-716 (2), and with either a request from the governor to prosecute a particular case or with the approval of the district attorney with jurisdiction to prosecute cases in the judicial district where a case could be brought, the AG has the authority to prosecute any criminal violations of Colo. Rev. Stat. §18-5.5-102.

Colorado's Breach Notification Law does not expressly provide for a private right of action.

10. Other Specific Jurisdictional Requirements

Not applicable.