Simon Coulthard July 15, 2021
Colorado is the third US state after California and Virginia, to pass a law meant to protect the data of its citizens.
The Colorado Privacy Act was signed into law by Governor Jared Polis on the 7th of July, 2021. This new privacy act will go into effect in July 2023. Here’s what you, as a website owner, need to know about this.
According to the Colorado General Assembly, the legislature of the State of Colorado, this bill’s purpose is to create and implement personal data privacy rights and:
Consumers have the right to opt-out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller.”
As mentioned before, CPA follows the principles of its counterpart laws the California Consumer Privacy Act (CCPA) and The Virginia Consumer Data Protection Act (VCDPA), both of which are based on the principles of the European General Data Protection Regulation, also known as the GDPR.
Defining consumer rights: All of these 3 laws provide rights for access, deletion, correction, portability, and opt-out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. A difference between CCPA and CPA is that Colorado consumers need to use an authorized agent for sale opt-out requests.
Addressing consumer rights decisions: Colorado’s consumer appeal process is similar to Virginia’s. Under CPA, if a consumer has a valid request, the controller must allow the consumer to appeal its decision. The controller must also let the consumer know the reasons for rejecting the request and also inform him or her of the right to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
Opt-out requests: Unlike in the Californian law, which makes the global privacy control optional, controllers must comply with the universal opt-out under CPA. The technicals specifications for this process are still in debate but will be announced well before the law goes into effect in July 2023.
Data processing consent: Similar the Virginia law, CPA requires opt-in consent for processing sensitive personal data such as:
The Colorado Privacy Act also requires consent for processing under 13 year’s old children’s information.
Controller obligations: CPA’s list of duties for controllers include:
Which are very similar to the ones mentioned in the CCPA and VCDPA.
Data protection assessments: CPA demands DPAs (data protection assessments) to be in place for activities such as targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with VCDPA, the Colorado Attorney General has the right to access the controller’s DPAs.
Here at TWIPLA, helped by a great team of privacy lawyers, we do our best to keep you informed about data privacy laws and to offer you an analytics tool that’s always going to be compliant with the constant legal changes from all over the world.
TWIPLA is CPA, CCPA and VDCPA compliant.
If you haven’t tried our tool yet, you can register for free, and import your Google Analytics historical data with a few clicks.
Gain World-Class Insights & Offer Innovative Privacy & Security