The Colorado Privacy Act

The Colorado Privacy Act, a comprehensive consumer data privacy law that grants Colorado consumers new rights to their personal data went into effect July 1, 2023. In the absence of a comprehensive federal privacy law, Colorado is part of an accelerating trend among the states to enact privacy laws to protect consumer data. Including Colorado, there are now 13 states that have enacted such laws (the others are California, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia). Although these laws share similarities, a unique feature of the Colorado Privacy Act is that it extends to nonprofit organizations.

Under the new law Colorado consumers have the right to (a) access their personal data, (b) correct their personal data, (c) delete their personal data and (d) opt out of the sale, collection and use of their personal data for targeted advertising.

The Act also requires businesses and nonprofits to take on certain responsibilities when dealing with Colorado consumers’ data. These include an obligation to (a) safeguard consumers’ personal data, (b) provide clear, understandable and transparent information to consumers about how an entity uses personal data and (c) strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.

Under the Act, a consumer is any Colorado resident, and controllers are businesses and nonprofits that collect, use and store personal data. This law applies to businesses that operate in Colorado or target their products to Colorado residents and collect the personal data of 100,000 consumers a year or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. The law does not include a private right of action and only the Attorney General and Colorado District Attorneys have the power to bring suit. The Colorado Attorney General has the power to enforce the law, access and evaluate a company’s data protection assessments, impose penalties for violations and act to prevent future violations.