Colorado became the fifth state in the U.S. after California, Delaware, Illinois, and Nevada, to enact a personal data protection law, and it’s a pretty comprehensive one. This is a very important development both for the 5.8 million people living in Colorado and for the United States in general, as the country is in dire need of more regulation on that part. Laws of this kind have the power to affect companies that do business with American customers in general, as they can be held accountable in cases of violation.
The new bill applies to legal entities that conduct business or produce commercial products and services targeting Colorado residents and which control or process personal data of more than 100,000 consumers per year. Also, the bill applies to companies that generate revenue from the sale, or control, or processing of personal data of at least 25,000 clients.
The law gives consumers the right to opt-out of the processing of their personal data and also the right to access, correct, request a portable copy of the data, or even request the deletion of all their personal information held by a company.
The controllers/processors are obliged to fulfill their duties in relation to the above, be transparent, determine exactly for what purpose they collect the data, avoid secondary use, avoid unlawful discrimination, and also try to collect as little personal information from their customers as possible.
The attorney general of Colorado, as well as the district attorneys, will be responsible for enforcing the new bill and reviewing cases of violation, deceptive trade practice, deviations, etc. A summary of the bill can be found here, while the full signed act is available on Colorado’s government portal. The act will take effect on July 1, 2023, allowing entities almost two years to prepare for compliance with the new data protection requirements.