The act creates personal data privacy rights and:
- Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of at least 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
- Does not apply to certain specified entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
The act defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller. Consumers have the right to opt out of a controller's processing of their personal data; access, correct, or delete the data; or obtain from a controller a portable copy of the data.
- Specifies how controllers must fulfill duties regarding consumers' assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
- Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data; and
- Specifies that a violation of its requirements is a deceptive trade practice for purposes of enforcement, but the act may be enforced only by the attorney general or district attorneys.
Local governments are preempted from adopting laws that govern the processing of personal data by controllers or processors. The attorney general may promulgate rules to administer the act and is required to adopt rules detailing technical specifications for a universal opt-out mechanism that controllers must use.
(Note: This summary applies to this bill as enacted.)