On July 8, 2021, Colorado enacted the Colorado Privacy Act, SB 21-190, following Virginia and California. The law becomes effective July 1, 2023.
Below are high-level details about the CPA. Please contact our firm to determine whether your organization must comply with the CPA, and, if so, the specifics regarding such compliance.
The law applies to any individual, corporation, government or governmental subdivision or agency, business trust, estate, trust, limited liability company, partnership, association, or other legal entity (“Controller”) that:
- alone or jointly with others, determines the purposes for and means of processing personal data
or
- delivers commercial products/services targeted to Colorado residents
and
- during a calendar year, controls or processes personal data of at least 100,000 consumers
or
- derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers
Consumers have the following rights:
- To confirm whether a controller is processing personal data and to access the personal data
- To correct inaccuracies in the personal data
- To deletion of their personal data
- To data portability
- To opt out of targeted advertising, sale or profiling
Controller Duties:
- Transparency
- Purpose specification and limits on secondary uses
- Data minimization
- Care in securing personal data
- Avoid unlawful discrimination
- Restriction on processing sensitive data absent consent
Other Obligations
- Provision of a privacy notice
- Contracts with processors
- Data Protection Assessments
