NEWS RELEASE
ATTORNEY GENERAL PHIL WEISER'S OFFICE
********************************************************
Attorney General Phil Weiser reminded Colorado consumers, along with businesses, nonprofits, and other organizations that the Colorado Privacy Act is in effect starting July 1.
Originally passed during the 2021 legislative session, the new data privacy law gives consumers new rights and requires new responsibilities for some businesses and other entities, when it comes to the collection and use of personal data. The law’s implementation follows rulemaking conducted by the Department of Law after months of public comment from consumers, businesses, nonprofits, and other organizations in Colorado and across the country. Those rules were approved earlier this year.
“For too long, consumers were in the dark when it came to what types of data entities keep on them, how that data is shared, and lacked a way to opt out of data collection,” said Weiser. “Starting today, Coloradans will have more control of their own private, personal data than ever before.”
For consumers, the new law means new rights:
- The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
- The right to know whether certain personal data is being collected;
- The right to access certain personal data collected about them;
- The right to correct personal data;
- The right to delete personal data; and
- The right to download and remove personal data from a platform in a format that allows the transfer to another platform.
The Colorado Privacy Act applies to entities that operate in Colorado or target Colorado citizens and, in a calendar year, either collect more than 100,000 individuals’ data, or derive revenue or otherwise benefit from the sale of personal data and process the personal data of more than 25,000 individuals. These covered entities will have new responsibilities, including providing notice to consumers about:
- What types of data they collect or process;
- The purpose for collecting that data;
- The type of data they share with third parties and the categories of those third parties;
- How people can access, correct, delete, and download and transmit their personal data; and
- Whether they sell any personal data or process it for targeted advertising, as well as how people can opt out of having their data sold or used for targeted ads.
While the businesses, nonprofits, and other organizations subject to the law must allow Coloradans to opt out of certain types of data use directly, beginning in 2024 they will also have to honor consumer use of universal opt-out options that will apply to multiple businesses and other organizations subject to the law.
Organizations subject to the new law must also obtain consent from consumers before collecting or using sensitive personal data – which includes the personal data of children under 13, certain genetic or biometric data, and personal data which reveals highly personal information such as race or ethnicity, religious beliefs, health condition or diagnosis, sexual orientation, citizenship status.
The law only applies to Colorado residents while acting in an individual or household capacity (e.g., when browsing the internet or signing up for a retail rewards program) and does not apply to data collected in an employment context.
For more information about the Colorado Privacy Act’s new rights and responsibilities, including an FAQ and informational webinars for consumers and organizations, please visit www.coag.gov/cpa
.JPG;w=120;h=80;mode=crop)