Colorado has introduced the “Colorado Privacy Act” bill (SB21-190).
Key things to note:
- Recital notes that the “EU GDPR is emerging as a model for countries across the globe in data privacy.”
- Consumer rights: access, correction, deletion, data portability and right to opt out of general collection and use of personal data not just use for sale.
- Opt-in consent for processing sensitive data.
- Affirmative obligation for information security.
- Requirement for clear, transparent privacy disclosure,
- Requirement for data protection assessments (for targeted advertising, sale, sensitive data).
- Enforcement by AG.
- Definition of “consent” modeled after Article 7 of GDPR.
- Different definition of “de-identified data” which is similar to that under HIPAA.
- Processing must be necessary, reasonable and proportionate to the specific purpose disclosed.
- Controller is liable for a processor’s actions.
- Requirement for controller/processor agreement but no specifics.