(effective July 1, 2023)
6–1–1301. Short title.
The short title of this part 13 is the “Colorado Privacy Act”.
6–1–1302. Legislative declaration.
(1) The general assembly hereby:
- The general assembly hereby:
- Finds that:
- The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom;
- Colorado’s constitution explicitly provides the right to privacy under section 7 of article II, and fundamental privacy rights have long been, and continue to be, integral to protecting Coloradans and to safeguarding our democratic republic;
- Ongoing advances in technology have produced exponential growth in the volume and variety of personal data being generated, collected, stored, and analyzed and these advances present both promise and potential peril;
- The ability to harness and use data in positive ways is driving innovation and brings beneficial technologies to society, but it has also created risks to privacy and freedom; and
- The unauthorized disclosure of personal information and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm;
- Determines that:
- Technological innovation and new uses of data can help solve societal problems and improve lives, and it is possible to build a world where technological innovation and privacy can coexist; and
- States across the United States are looking to this part 13 and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level; and
- Declares that:
- By enacting this part 13, Colorado will be among the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate;
- This part 13 addresses issues of statewide concern and:
- Provides consumers the right to access, correct, and delete personal data and the right to opt out not only of the sale of personal data but also of the collection and use of personal data;
- Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data; and
- Empowers the attorney general and district attorneys to access and evaluate a company’s data protection assessments, to impose penalties where violations occur, and to prevent future violations.
- Finds that:
6–1–1303. Definitions.
As used in this part 13, unless the context otherwise requires:
- “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this subsection (1), “control” means:
- Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;
- Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or
- The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.
- “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights in section 6–1–1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights.
- “Business associate” has the meaning established in 45 CFR 160.103.
- “Child” means an individual under thirteen years of age.
- “Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:
- Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
- Hovering over, muting, pausing, or closing a given piece of content; and
- Agreement obtained through dark patterns.
- “Consumer”:
- Means an individual who is a Colorado resident acting only in an individual or household context; and
- Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
- “Controller” means a person that, alone or jointly with others, determines the purposes for and means of processing personal data.
- “Covered entity” has the meaning established in 45 CFR 160.103.
- “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
- “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.
- “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:
- Takes reasonable measures to ensure that the data cannot be associated with an individual;
- Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and
- Contractually obligates any recipients of the information to comply with the requirements of this subsection (11).
- “Health-care facility” means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state.
- “Health-care information” means individually identifiable information relating to the past, present, or future health status of an individual.
- “Health-care provider” means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12.
- “HIPAA” means the federal “Health Insurance Portability and Accountability Act of 1996”, as amended, 42 U.S.C. secs. 1320d to 1320d–9.
- “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.
- “Personal data”:
- Means information that is linked or reasonably linkable to an identified or identifiable individual; and
- Does not include de-identified data or publicly available information. As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.
- “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.
- “Processor” means a person that processes personal data on behalf of a controller.
- “Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- “Protected health information” has the meaning established in 45 CFR 160.103.
- “Pseudonymous data” means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.
- a. “Sale”, “sell”, or “sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
- “Sale”, “sell”, or “sold” does not include the following:
- The disclosure of personal data to a processor that processes the personal data on behalf of a controller;
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- The disclosure or transfer of personal data to an affiliate of the controller;
- The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
- The disclosure of personal data:
- That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
- Intentionally made available by a consumer to the general public via a channel of mass media.
- “Sale”, “sell”, or “sold” does not include the following:
- “Sensitive data” means:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
- Personal data from a known child.
- “Targeted advertising”:
- Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and
- Does not include:
- Advertising to a consumer in response to the consumer’s request for information or feedback;
- Advertisements based on activities within a controller’s own websites or online applications;
- Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; or
- Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
- “Third party” means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.
6–1–1304. Applicability of part.
- Except as specified in subsection (2) of this section, this part 13 applies to a controller that:
- Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- Satisfies one or both of the following thresholds:
- Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
- This part 13 does not apply to:
- Protected health information that is collected, stored, and processed by a covered entity or its business associates;
- Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;
- Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd–2;
- Identifiable private information, as defined in 45 CFR 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);
- Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;
- Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b–21 to 299b–26;
- Information that is:
- De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and
- Derived from any of the health-care-related information described in this section.
- Information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:
- A covered entity or business associate;
- A health-care facility or health-care provider; or
- A program of a qualified service organization as defined in 42 CFR 2.11;
- (i)(I) Except as provided in subsection (2)(i)(II) of this section, an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:
- A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);
- A furnisher of information as set forth in 15 U.S.C. sec. 1681s–2 that provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a (d); or
- A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.
- This subsection (2)(i) applies only to the extent that the activity is regulated by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal “Fair Credit Reporting Act”, as amended.
- Personal data:
- Collected and maintained for purposes of article 22 of title 10;
- Collected, processed, sold, or disclosed pursuant to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
- Collected, processed, sold, or disclosed pursuant to the federal “Driver’s Privacy Protection Act of 1994”, 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;
- Regulated by the federal “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or
- Regulated by the federal “Family Educational Rights and Privacy Act of 1974”, 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;
- Data maintained for employment records purposes;
- An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as amended, and 49 U.S.C. sec. 41713, as amended;
- A national securities association registered pursuant to the federal “Securities Exchange Act of 1934”, 15 U.S.C. sec. 78o–3, as amended, or implementing regulations;
- Customer data maintained by a public utility as defined in section 40–1–103 (1)(a)(I) or an authority as defined in section 43–4–503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;
- Data maintained by a state institution of higher education, as defined in section 23–18–102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not effect any other exemption available under this part 13.
- Information used and disclosed in compliance with 45 CFR 164.512; or
- A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR 1016.
- The obligations imposed on controllers or processors under this part 13 do not:
- Restrict a controller’s or processor’s ability to:
-
- Comply with federal, state, or local laws, rules, or regulations;
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
- Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;
- Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
- Conduct internal research to improve, repair, or develop products, services, or technology;
- Identify and repair technical errors that impair existing or intended functionality;
- Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller;
- Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
- Protect the vital interests of the consumer or of another individual;
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
- Process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing:
- Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
- Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or
- Assist another person with any of the activities set forth in this subsection (3);
-
- Apply where compliance by the controller or processor with this part 13 would violate an evidentiary privilege under Colorado law;
- Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;
- Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law; and
- Apply to the processing of personal data by an individual in the course of a purely personal or household activity.
- Restrict a controller’s or processor’s ability to:
- Personal data that are processed by a controller pursuant to an exception provided by this section:
- Shall not be processed for any purpose other than a purpose expressly listed in this section or as otherwise authorized by this part 13; and
- Shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized by this part 13.
- If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (4) of this section.
6–1–1305. Responsibility according to role.
- Controllers and processors shall meet their respective obligations established under this part 13.
- Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:
- Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to consumer requests to exercise their rights pursuant to section 6–1–1306;
- Helping to meet the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6–1–716; and
- Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6–1–1309. The controller and processor are each responsible for only the measures allocated to them.
- Notwithstanding the instructions of the controller, a processor shall:
- Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
- Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
- Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.
- Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out:
- The processing instructions to which the processor is bound, including the nature and purpose of the processing;
- The type of personal data subject to the processing, and the duration of the processing;
- The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and
- The following requirements:
- At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- A. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and
- The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor. Alternatively, the processor may, with the controller’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor’s expense, an audit of the processor’s policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.
- In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by this part 13.
- Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.
- a. A controller or processor that discloses personal data to another controller or processor in compliance with this part 13 does not violate this part 13 if the recipient processes the personal data in violation of this part 13, and, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.
- A controller or processor receiving personal data from a controller or processor in compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this part 13 if the controller or processor from which it receives the personal data fails to comply with applicable obligations under this part 13.
6–1–1306. Consumer personal data rights—repeal.
- Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6–1–1308 (1)(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to this section but may require a consumer to use an existing account. A consumer may submit a request at any time to a controller specifying which of the following rights the consumer wishes to exercise:
- (a) Right to opt out.
- A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:
- Targeted advertising;
- The sale of personal data; or
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
- A consumer may authorize another person, acting on the consumer’s behalf, to opt out of the processing of the consumer’s personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.
- A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice.
- (A) A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6–1–1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024.
- Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6–1–1313.
- Notwithstanding a consumer’s decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer’s personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.
- A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:
- Right of access.A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.
- Right to correction.A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
- Right to deletion.A consumer has the right to delete personal data concerning the consumer.
- Right to data portability.When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller’s trade secrets.
- (a) Right to opt out.
- Responding to consumer requests.
- A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. The controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay.
- If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section.
- Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24–72–205 (5)(a).
- A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.
- (a). A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer’s receipt of the notice sent by the controller under subsection (2)(b) of this section. The appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section.
- Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. The controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay.
- The controller shall inform the consumer of the consumer’s ability to contact the attorney general if the consumer has concerns about the result of the appeal.
6–1–1307. Processing de-identified data.
- This part 13 does not require a controller or processor to do any of the following solely for purposes of complying with this part 13:
- Reidentify de-identified data;
- Comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to section 6–1–1306 (1), if all of the following are true:
- (A.) The controller is not reasonably capable of associating the request with the personal data; or
- It would be unreasonably burdensome for the controller to associate the request with the personal data;
- The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
- The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or
- (A.) The controller is not reasonably capable of associating the request with the personal data; or
- Maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.
- A controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and shall take appropriate steps to address any breaches of contractual commitments.
- The rights contained in section 6–1–1306 (1)(b) to (1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
6–1–1308. Duties of controllers.
- Duty of transparency.
- A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data collected or processed by the controller or a processor;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise the rights pursuant to section 6–1–1306, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
- If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.
- A controller shall not:
- Require a consumer to create a new account in order to exercise a right; or
- Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.
- Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.
- A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- Duty of purpose specification. A controller shall specify the express purposes for which personal data are collected and processed.
- Duty of data minimization. A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.
- Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.
- Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
- Duty to avoid unlawful discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
- Duty regarding sensitive data. A controller shall not process a consumer’s sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian.
6–1–1309. Data protection assessments—attorney general access and evaluation—definition.
- A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that present a heightened risk of harm to a consumer.
- For purposes of this section, “processing that presents a heightened risk of harm to a consumer” includes the following:
- Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- Financial or physical injury to consumers;
- A physical or other intrusion upon the solitude or seclusion, or the private affairs or
concerns, of consumers if the intrusion would be offensive to a reasonable person; or - Other substantial injury to consumers;
- Selling personal data; and
- Processing sensitive data.
- Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
- Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
- A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6–1–1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the “Colorado Open Records Act”, part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.
- A single data protection assessment may address a comparable set of processing operations that include similar activities.
- Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.
6–1–1310. Liability.
- Notwithstanding any provision in part 1 of this article 1, this part 13 does not authorize a private right of action for a violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including this article 1, the state constitution, or the United States constitution.
- Where more than one controller or processor, or both a controller and a processor, involved in the same processing violates this part 13, the liability shall be allocated among the parties according to principles of comparative fault.
6–1–1311. Enforcement—penalties—repeal.
- (a.) Notwithstanding any other provision of this article 1, the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.
- Notwithstanding any other provision of this article 1, nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.
- For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part 13 is a deceptive trade practice.
- Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed, effective January 1, 2025.
- The state treasurer shall credit all receipts from the imposition of civil penalties under this part 13 pursuant to section 24–31–108.
6–1–1312. Preemption—local governments.
This part 13 supersedes and preempts laws, ordinances, resolutions, regulations, or the equivalent adopted by any statutory or home rule municipality, county, or city and county regarding the processing of personal data by controllers or processors.
6–1–1313. Rules—opt-out mechanism.
- The attorney general may promulgate rules for the purpose of carrying out this part 13.
- By July 1, 2023, the attorney general shall adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6–1–1306 (1)(a)(I)(A) or (1)(a)(I)(B). The attorney general may update the rules that detail the technical specifications for the mechanisms from time to time to reflect the means by which consumers interact with controllers. The rules must:
- Not permit the manufacturer of a platform, browser, device, or any other product offering a universal opt-out mechanism to unfairly disadvantage another controller;
- Require controllers to inform consumers about the opt-out choices available under section 6–1–1306 (1)(a)(I);
- Not adopt a mechanism that is a default setting, but rather clearly represents the consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to section 6–1–1306 (1)(a)(I)(A) or (1)(a)(I)(B);
- Adopt a mechanism that is consumer-friendly, clearly described, and easy to use by the average consumer;
- Adopt a mechanism that is as consistent as possible with any other similar mechanism required by law or regulation in the United States; and
- Permit the controller to accurately authenticate the consumer as a resident of this state and determine that the mechanism represents a legitimate request to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6–1–1306 (1)(a)(I)(A) or (1)(a)(I)(B).
- By January 1, 2025, the attorney general may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of this part 13. The rules must become effective by July 1, 2025.