Colorado has introduced the “Colorado Privacy Act” bill (SB21-190).

Key things to note:
  •  Recital notes that the “EU GDPR is emerging as a model for countries across the globe in data privacy.”
  • Consumer rights: access, correction, deletion, data portability and right to opt out of general collection and use of personal data not just use for sale.
  • Opt-in consent for processing sensitive data.
  • Affirmative obligation for information security.
  • Requirement for clear, transparent privacy disclosure,
  • Requirement for data protection assessments (for targeted advertising, sale, sensitive data).
  • Enforcement by AG.
  • Definition of “consent” modeled after Article 7 of GDPR.
  • Different definition of “de-identified data” which is similar to that under HIPAA.
  • Processing must be necessary, reasonable and proportionate to the specific purpose disclosed.
  • Controller is liable for a processor’s actions.
  • Requirement for controller/processor agreement but no specifics.

Read the full text of the legislation.