Colorado
Summary
Law: The Colorado Privacy Act ('CPA')
Regulator: The Colorado Attorney General ('AG')
Summary: With the CPA, Colorado became the third US State to pass its own privacy law. The CPA provides several privacy rights, including the right to opt-out of the processing of personal data, as well the right to access, correction, or deletion of personal data, or to obtain a portable copy of the data. Furthermore, the CPA imposes obligations on data controllers such as purpose specification, data minimization, and the use of sensitive data, among others. In addition, the CPA requires controllers to conduct assessments when processing personal data in activities that present a heightened risk to consumers and assigns enforcement powers to the AG and District Attorneys. The CPA entered into effect on 1 July 2023.
On 30 September 2022, the AG published its draft rules implementing the CPA. In particular, these rules would expand privacy requirements under the CPA and address topics, such as consumer requests, data protection assessments, profiling, and the universal opt-out mechanism. On 15 March 2023, the finalized CPA rules were filed with the Colorado Secretary of State's Office and will enter into effect on 1 July 2023.
In addition to the CPA, House Bill 18-1128 for an Act Concerning Strengthening Protections for Consumer Data Privacy ('the Act') was signed into law and entered into force on 29 May 2018. The Act amends § 6-1-713 of the Colorado Revised Statutes and concerns, among other things, the disposal of personal identifying information by requiring a written policy to be developed for the destruction or proper disposal of such documents. The Colorado Revised Statutes, as amended by the Act, sets out the breach notification requirements, including stipulating the content and timeframe for notices to be sent to the AG.
You can track other US State bills through our US State Law Tracker.