Skip to main content
Colorado General AssemblyToggle Main Menu
Agency NameToggle Agency Menu
SB21-190

Protect Personal Data Privacy

Concerning additional protection of data relating to personal privacy.
Session:
2021 Regular Session
Subject:
Financial Services & Commerce
Bill Summary

The bill creates personal data privacy rights and:

  • Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
  • Control or process personal data of more than 100,000 consumers per calendar year; or
  • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
  • Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.

Consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller.

The bill:

  • Specifies how controllers must fulfill duties regarding consumers' assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
  • Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising , profiling, selling personal data, or processing sensitive data; and
  • May Specifies that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.

Local governments are preempted from adopting laws that govern the processing of personal data by controllers or processors. The attorney general may promulgate rules to administer the bill, including technical specifications for a universal opt-out mechanism that controls must use.

(Note: Italicized words indicate new material added to the original summary; dashes through words indicate deletions from the original summary.)


(Note: This summary applies to the reengrossed version of this bill as introduced in the second house.)

Status

Introduced
Passed

Menu

Bill Text