The bill creates personal data privacy rights and:
- Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
- Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.
Consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller.
- Specifies how controllers must fulfill duties regarding consumers' assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
- Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising , profiling, selling personal data, or processing sensitive data; and
MaySpecifies that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.
(Note: Italicized words indicate new material added to the original summary; dashes through words indicate deletions from the original summary.)
(Note: This summary applies to the reengrossed version of this bill as introduced in the second house.)