On June 8, the Colorado General Assembly passed Senate Bill 190, the Colorado Privacy Act (the “Act”).  This is another comprehensive state privacy law in the United States, after California, Virginia and Washington.  It is also similar to the GDPR.  The bill has now been sent to Governor Jared Polis (D-Colo.).

            The Act is designed to provide consumers with greater ability to control and dictate how their data is used.  It applies to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers.  It includes numerous data subject rights, a broad targeted advertising and information sale opt-out regime designed to provide consumers with a one-click method to exercise opt-out right across websites, and a right to cure. 

• Applies to organizations that conduct business in Colorado or intentionally target their products/services to Colorado residents (individuals or households that either: (i) control or process personal data of more than 100,000 consumers per calendar year; or (ii) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 consumers;
• Provides consumers with the right to opt-out of the processing of personal data;
• Can authorize another person to act on consumer’s behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the consumer’s data;
• Consumers able to confirm whether personal data is being processed and access that data in a portable and readily usable format;
• Consumers may correct inaccurate personal data;
• Consumers may delete personal data; and
• Consumers have to provide consent prior to the collection of designated sensitive personal data

            Organizations will be required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.  Also, organizations will be required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice.  The notice must contain disclosures regarding applicable data collection and sharing practices.

            Importantly, the Act does not mandate that companies wholly implement burdensome compliance measures that are not, to some extent, already required by the California and Virginia laws.  Although, the Act’s universal opt-out mechanism and required data protection assessment may prove challenging when endeavoring to implement comprehensive regulatory compliance with a single, common denominator.

            Many experts believe that the Act provides reasonable balance between consumer privacy, compliance, and permitting businesses and technology to thrive.

            The attorney general and state district attorneys are vested with rulemaking and enforcement.  The bill provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations.

            The Act does not provide a private right of action.

            The effective date for the legislation is July 1, 2023.

            This article should therefore be of interest to digital marketers that may fall within the Act’s scope.  Contact experienced FTC defense lawyers if you are interested in discussing the nuances of the Colorado Privacy Act and compliance therewith. 

Richard B. Newman is an advertising practices attorney at Hinch Newman LLP.  Follow FTC defense lawyers on National Law Review.

Informational purposes only. Not legal advice. May be considered attorney advertising.