Colorado Privacy Act
Comprehensive Colorado privacy law granting consumer rights, requiring data protection assessments, and mandating universal opt-out mechanisms.
Definitions
Provides definitions for core terms under the Colorado Privacy Act, including controller, processor, consumer, personal data, and consent.
Applicability
Applies to controllers conducting business in Colorado or targeting Colorado residents who process personal data of 100,000+ consumers, or 25,000+ consumers while deriving revenue from data sale.
Consumer Rights
Grants consumers the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, and profiling. Mandates honoring technical universal opt-out signals (like GPC) since July 1, 2024.
Duties of Controllers
Requires controllers to specify processing purposes, minimize data collection, implement data security, avoid processing sensitive data without consent, and provide transparent privacy notices.
Data Protection Assessments
Mandates controllers to conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, such as targeted advertising, sale of personal data, or profiling.
Enforcement and Penalties
Authorizes the Colorado Attorney General and district attorneys to enforce the Act. Clarifies that there is no private right of action and outlines enforcement actions and penalties.
Legal notice: This reference library is for informational purposes only and does not constitute legal advice. Excerpts are reproduced from official public sources and are current as of May 2024. Laws and regulations change: always verify against the authoritative source and consult a qualified attorney.