info@thewbkfirm.com
202.628.2000

WBK Industry News - State Regulatory Developments

Colorado Enhances Data Privacy for Consumers

05 Aug 2021

On July 7, 2021, Colorado’s governor signed the state’s new privacy legislation into law. The Colorado Privacy Act (CPA) will not take effect until July 1, 2023. Although the CPA does not convey a new private right of action to consumers, the state’s attorney general and district attorneys may enforce violations as deceptive trade practices.

The CPA applies to “Controllers,” entities that determine the purposes and means of processing personal data, and “Processors,” entities that process personal data on behalf of a Controller. “Personal Data” is broadly defined as information that is linked or reasonably linkable to an identified or identifiable individual other than information lawfully made available by government sources or information the consumer has made available to the general public.

Among other things, the CPA contains several provisions conferring privacy rights to consumers and mandating new requirements to Controllers, who have primary responsibility, and Processors, who are required to assist the Controllers in meeting their obligations:

  • Consumers will have the right to confirm whether a Controller is processing their personal data.
  • Consumers will have the right to access personal data in a portable and readily usable format to enable transfer to another entity.
  • Consumers will have the right to correct inaccurate personal data.
  • Consumers will have the right to delete personal data.
  • Consumers will have the right to opt out of the processing of their data for targeted advertising, the sale of their data, and for profiling.
  • Controllers must create an internal system to accept and respond to consumer privacy requests.
  • Controllers must allow consumers to appeal a decision not to honor a data rights request.
  • Controllers must provide privacy notices to consumers describing their data processing activities.
  • Controllers may not use personal data without the consumer’s consent.
  • Controllers must protect personal data from unauthorized acquisition.

For more details concerning the updates, the Privacy Act is available here.