Colorado Joins Ranks of States Introducing Consumer Data Privacy Legislation
On March 19, 2021, Colorado State Senators Richard Rodriguez (D) and Paul Lundeen (R) introduced Senate Bill 21-190 as part of a bipartisan effort to make Colorado the latest state to implement comprehensive legislation establishing certain consumer data privacy rights. Dubbed "A Bill for an Act Concerning Additional Protection of Data Relating to Personal Privacy," SB 21-190 largely follows in the footsteps of California's CCPA, Virginia's CDPA and the European Union's GDPR with a stated intent to "empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate." Who's Affected: SB 21-190 applies to legal entities that (a) conduct business or produce products or services that are intentionally targeted to Colorado residents and (b) either (i) control or process personal data of more than 100,000 consumers per calendar year or (ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers. Scope of "Personal Data": SB 21-190 defines "personal data" as "information that is linked or reasonably linkable to an identified or identifiable individual," with the exceptions of (a) de-identified data and (b) publicly available information.
- "de-identified data" means data that do not identify an individual with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
- "publicly available information" means information (i) lawfully made available from federal, state or local government records, (ii) a controller has a reasonable basis to believe the consumer has lawfully made available to the general public or to widely distributed media; and (iii) made available to the general public by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.
- Right to opt out of the processing of personal data concerning the consumer;
- Right to access the consumer's personal data and confirm whether a controller is processing personal data concerning the consumer;
- Right to correct inaccurate personal data collected from the consumer;
- Right to delete personal data concerning the consumer;
- Right to obtain the consumer's personal data in a portable and readily usable format up to two times per calendar year.
- Duty of transparency: The controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data collected or processed by the controller or a processor;
- The purposes for which the categories of personal data are processed;
- An estimate of how long the controller may or will maintain the consumer's personal data;
- An explanation of how and where consumers may exercise their rights under SB 21-190;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
- Duty of purpose specification: A controller must specify the express purposes for which personal data is collected and processed.
- Duty of data minimization: A controller's collection of personal data must be adequate, relevant, and limited to what is necessary in relation to the specified and express purposes for which the data are processed.
- Duty to avoid secondary use: A controller may not process personal data for purposes that are not necessary to or compatible with the specified and express purposes for which the personal data are processed, unless the controller obtains the consumer's consent.
- Duty of care: A controller must take reasonable measures to secure personal data during both storage and use from unauthorized acquisition.
- Duty regarding sensitive data: A controller must not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of processing of personal data concerning a known child or student, without obtaining consent from the child's or student's parent or lawful guardian. SB 21-190 defines "sensitive data" as (i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, (ii) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or (iii) personal data from a known child.
- Data protection assessments: Before engaging in processing that presents a heightened risk of harm to a consumer, a controller must conduct and document a data protection assessment of each of its processing activities that involves personal data acquired on or after the effective date of SB 21-190. SB 21-190 defines "processing that presents a heightened risk of harm to a consumer" as including the following: (i) processing personal data for purposes of targeted advertising or profiling; (ii) selling personal data; and (iii) processing sensitive data.
Print and share
Explore more in
Perkins on Privacy
Perkins on Privacy keeps you informed about the latest developments in privacy and data security law. Our insights are provided by Perkins Coie's Privacy & Security practice, recognized by Chambers as a leading firm in the field. Subscribe 🡢