On June 8, the Colorado Privacy Act was passed by both houses and now awaits the governor’s signature to become law. Like other omnibus state laws passed in the United States (California and Virginia notably), there are a lot of details to review. Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include consumer rights, privacy notices, and opt outs of certain processing activities, such as the sale of personal data.
Normally the governor would have ten days to sign, but since the legislative session is over for 2021, he has thirty days to sign or veto (Colo. Const. Art. IV, Section 11). If he does not do either, it becomes law by default. If passed, the effective date will be July 1, 2023 as long as there is no referendum petition filed. If there is, then the law and its enforcement date are subject to election protocols.
Given the extent of the Colorado Privacy Act, we will provide a four-part blog series to address all the components:
Part I – Overview
Part II – Consumer Rights and how to implement your response program
Part III – Special Processing Activities (targeted ads, sales, profiling) & Consent
Part IV – Responsibilities of the Parties & Contracts
It is easy to see the similarities to and differences from other state omnibus privacy laws. Like Virginia, Colorado adopts many of the concepts of the European Union’s General Data Protection Regulation, such as controllers and processors. Controllers being “a person that, alone or jointly, determines the purposes for and means of processing personal data.” Likewise, a processor is someone that “processes personal data on behalf of a controller.” However, Colorado provides instruction on when processors become controllers through their actions.
Colorado makes it clear that the de ..
Support the originator by clicking the read the rest link below.
){kind=link}