Companies will have to comply with the state’s data privacy protections by Jan. 1, 2023; Gov. Jared Polis says more legislative action will be needed next year.
7/15/2021 10:00
After signing the third major piece of data privacy legislation in the U.S. this month, Colorado Gov. Jared Polis said “clean-up legislation” will be required next year to ensure the Colorado Privacy Act (S.B. 21-190) doesn’t hinder innovation while protecting consumers.
Requirements in the law include personal data privacy rights for consumers, such as:
- Specifying how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination and sensitive data;
- Requiring controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising, profiling, selling personal data or processing sensitive data; and;
- Specifying that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.
Colorado’s legislature passed the Colorado Privacy Act (CPA) in June. Virginia passed the Virginia Consumer Data Protection Act in March, and it will also take effect Jan. 1, 2023, ACA International previously reported. Colorado’s law is similar to the Virginia requirements, and both follow suit of the California Consumer Privacy Act (CCPA).
Washington state’s legislature worked on a data privacy law this year, but it failed to pass before the legislature adjourned.
According to an article from Troutman Pepper, an ACA International member company based in Virginia Beach, Virginia, the Colorado Attorney General has rulemaking authority under the Colorado Privacy Act and enforcement is authorized by the attorney general and district attorneys.
The Colorado Privacy Act differs from the CCPA and Virginia Consumer Data Protection Act because of its rulemaking and enforcement requirements, among others, according to the article.
Polis commended the sponsors and supporters of S.B. 21-90, but said more work needs to be done.
“In the haste to pass this bill, several issues remain outstanding,” Polis said in a news release. (See the governor’s signing statement.) “My chief concern is ensuring Colorado’s competitiveness with other states as an incubator of new technologies and innovations. S.B. 21-190 will require clean-up legislation next year, and in fact, the sponsors, proponents, industry and consumers are already engaged in conversations to craft this bill. We encourage those to continue but urge that they strike the appropriate balance between consumer protect while not stifling innovation and not stifling Colorado’s position as a top state to do business.”