Bill Text: CO SB190 - COLORADO PRIVACY ACT
SENATE BILL 21-190
BY SENATOR(S) Rodriguez and Lundeen, Bridges, Buckner, Coleman,
Cooke, Danielson, Donovan, Fenberg, Gardner, Ginal, Gonzales, Hansen,
Hisey, Holbert, Jaquez Lewis, Kirkmeyer, Kolker, Lee, Liston, Moreno,
Pettersen, Priola, Rankin, Scott, Simpson, Sonnenberg, Story, Winter,
Woodward, Garcia;
also REPRESENTATIVE(S) Duran and Carver, Bernett, Bird, Cutter,
Exum, Gonzales-Gutierrez, Gray, Herod, Jodeh, Lynch, McCluskie,
McCormick, Mullica, Ricks, Snyder, Titone, Valdez A., Woodrow.
CONCERNING ADDITIONAL PROTECTION OF DATA RELATING TO PERSONAL
PRIVACY.
Be it enacted by the General Assembly of the State of Colorado:
SECTION 1. In Colorado Revised Statutes, add part 13 to article
1 of title 6 as follows:
PART 13
COLORADO PRIVACY ACT
6-1-1301. Short title. THE SHORT TITLE OF THIS PART 13 IS THE
"COLORADO PRIVACY ACT".
NOTE: This bill has been prepared for the signatures of the appropriate legislative
officers and the Governor. To determine whether the Governor has signed the bill
or taken other action on it, please consult the legislative status sheet, the legislative
history, or the Session Laws.
________
Capital letters or bold & italic numbers indicate new material added to existing law; dashes
through words or numbers indicate deletions from existing law and such material is not part of
the act.
6-1-1302. Legislative declaration. (1) THE GENERAL ASSEMBLY
HEREBY:
(a) FINDS THAT:
(I) THE PEOPLE OF COLORADO REGARD THEIR PRIVACY AS A
FUNDAMENTAL RIGHT AND AN ESSENTIAL ELEMENT OF THEIR INDIVIDUAL
FREEDOM;
(II) COLORADO'S CONSTITUTION EXPLICITLY PROVIDES THE RIGHT TO
PRIVACY UNDER SECTION 7 OF ARTICLE II, AND FUNDAMENTAL PRIVACY
RIGHTS HAVE LONG BEEN, AND CONTINUE TO BE, INTEGRAL TO PROTECTING
COLORADANS AND TO SAFEGUARDING OUR DEMOCRATIC REPUBLIC;
(III) ONGOING ADVANCES IN TECHNOLOGY HAVE PRODUCED
EXPONENTIAL GROWTH IN THE VOLUME AND VARIETY OF PERSONAL DATA
BEING GENERATED, COLLECTED, STORED, AND ANALYZED AND THESE
ADVANCES PRESENT BOTH PROMISE AND POTENTIAL PERIL;
(IV) THE ABILITY TO HARNESS AND USE DATA IN POSITIVE WAYS IS
DRIVING INNOVATION AND BRINGS BENEFICIAL TECHNOLOGIES TO SOCIETY,
BUT IT HAS ALSO CREATED RISKS TO PRIVACY AND FREEDOM; AND
(V) THE UNAUTHORIZED DISCLOSURE OF PERSONAL INFORMATION
AND LOSS OF PRIVACY CAN HAVE DEVASTATING IMPACTS RANGING FROM
FINANCIAL FRAUD, IDENTITY THEFT, AND UNNECESSARY COSTS IN PERSONAL
TIME AND FINANCES TO DESTRUCTION OF PROPERTY, HARASSMENT,
REPUTATIONAL DAMAGE, EMOTIONAL DISTRESS, AND PHYSICAL HARM;
(b) DETERMINES THAT:
(I) TECHNOLOGICAL INNOVATION AND NEW USES OF DATA CAN HELP
SOLVE SOCIETAL PROBLEMS AND IMPROVE LIVES, AND IT IS POSSIBLE TO
BUILD A WORLD WHERE TECHNOLOGICAL INNOVATION AND PRIVACY CAN
COEXIST; AND
(II) STATES ACROSS THE UNITED STATES ARE LOOKING TO THIS PART
13 AND SIMILAR MODELS TO ENACT STATE-BASED DATA PRIVACY
REQUIREMENTS AND TO EXERCISE THE LEADERSHIP THAT IS LACKING AT THE
PAGE 2-SENATE BILL 21-190
NATIONAL LEVEL; AND
(c) DECLARES THAT:
(I) BY ENACTING THIS PART 13, COLORADO WILL BE AMONG THE
STATES THAT EMPOWER CONSUMERS TO PROTECT THEIR PRIVACY AND
REQUIRE COMPANIES TO BE RESPONSIBLE CUSTODIANS OF DATA AS THEY
CONTINUE TO INNOVATE;
(II) THIS PART 13 ADDRESSES ISSUES OF STATEWIDE CONCERN AND:
(A) PROVIDES CONSUMERS THE RIGHT TO ACCESS, CORRECT, AND
DELETE PERSONAL DATA AND THE RIGHT TO OPT OUT NOT ONLY OF THE SALE
OF PERSONAL DATA BUT ALSO OF THE COLLECTION AND USE OF PERSONAL
DATA;
(B) IMPOSES AN AFFIRMATIVE OBLIGATION UPON COMPANIES TO
SAFEGUARD PERSONAL DATA; TO PROVIDE CLEAR, UNDERSTANDABLE, AND
TRANSPARENT INFORMATION TO CONSUMERS ABOUT HOW THEIR PERSONAL
DATA ARE USED; AND TO STRENGTHEN COMPLIANCE AND ACCOUNTABILITY
BY REQUIRING DATA PROTECTION ASSESSMENTS IN THE COLLECTION AND USE
OF PERSONAL DATA; AND
(C) EMPOWERS THE ATTORNEY GENERAL AND DISTRICT ATTORNEYS
TO ACCESS AND EVALUATE A COMPANY'S DATA PROTECTION ASSESSMENTS,
TO IMPOSE PENALTIES WHERE VIOLATIONS OCCUR, AND TO PREVENT FUTURE
VIOLATIONS.
6-1-1303. Definitions. AS USED IN THIS PART 13, UNLESS THE
CONTEXT OTHERWISE REQUIRES:
(1) "AFFILIATE" MEANS A LEGAL ENTITY THAT CONTROLS, IS
CONTROLLED BY, OR IS UNDER COMMON CONTROL WITH ANOTHER LEGAL
ENTITY. AS USED IN THIS SUBSECTION (1), "CONTROL" MEANS:
(a) OWNERSHIP OF, CONTROL OF, OR POWER TO VOTE TWENTY-FIVE
PERCENT OR MORE OF THE OUTSTANDING SHARES OF ANY CLASS OF VOTING
SECURITY OF THE ENTITY, DIRECTLY OR INDIRECTLY, OR ACTING THROUGH
ONE OR MORE OTHER PERSONS;
PAGE 3-SENATE BILL 21-190
(b) CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY
OF THE DIRECTORS, TRUSTEES, OR GENERAL PARTNERS OF THE ENTITY OR OF
INDIVIDUALS EXERCISING SIMILAR FUNCTIONS; OR
(c) THE POWER TO EXERCISE, DIRECTLY OR INDIRECTLY, A
CONTROLLING INFLUENCE OVER THE MANAGEMENT OR POLICIES OF THE
ENTITY AS DETERMINED BY THE APPLICABLE PRUDENTIAL REGULATOR, AS
THAT TERM IS DEFINED IN 12 U.S.C. SEC. 5481 (24), IF ANY.
(2) "AUTHENTICATE" MEANS TO USE REASONABLE MEANS TO
DETERMINE THAT A REQUEST TO EXERCISE ANY OF THE RIGHTS IN SECTION
6-1-1306 (1) IS BEING MADE BY OR ON BEHALF OF THE CONSUMER WHO IS
ENTITLED TO EXERCISE THE RIGHTS.
(3) "BUSINESS ASSOCIATE" HAS THE MEANING ESTABLISHED IN 45
CFR 160.103.
(4) "CHILD" MEANS AN INDIVIDUAL UNDER THIRTEEN YEARS OF AGE.
(5) "CONSENT" MEANS A CLEAR, AFFIRMATIVE ACT SIGNIFYING A
CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
AGREEMENT, SUCH AS BY A WRITTEN STATEMENT, INCLUDING BY
ELECTRONIC MEANS, OR OTHER CLEAR, AFFIRMATIVE ACTION BY WHICH THE
CONSUMER SIGNIFIES AGREEMENT TO THE PROCESSING OF PERSONAL DATA.
THE FOLLOWING DOES NOT CONSTITUTE CONSENT:
(a) ACCEPTANCE OF A GENERAL OR BROAD TERMS OF USE OR SIMILAR
DOCUMENT THAT CONTAINS DESCRIPTIONS OF PERSONAL DATA PROCESSING
ALONG WITH OTHER, UNRELATED INFORMATION;
(b) HOVERING OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE
OF CONTENT; AND
(c) AGREEMENT OBTAINED THROUGH DARK PATTERNS.
(6) "CONSUMER":
(a) MEANS AN INDIVIDUAL WHO IS A COLORADO RESIDENT ACTING
ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT; AND
PAGE 4-SENATE BILL 21-190
(b) DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A COMMERCIAL OR
EMPLOYMENT CONTEXT, AS A JOB APPLICANT, OR AS A BENEFICIARY OF
SOMEONE ACTING IN AN EMPLOYMENT CONTEXT.
(7) "CONTROLLER" MEANS A PERSON THAT, ALONE OR JOINTLY WITH
OTHERS, DETERMINES THE PURPOSES FOR AND MEANS OF PROCESSING
PERSONAL DATA.
(8) "COVERED ENTITY" HAS THE MEANING ESTABLISHED IN 45 CFR
160.103.
(9) "DARK PATTERN" MEANS A USER INTERFACE DESIGNED OR
MANIPULATED WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR
IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE.
(10) "DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
EFFECTS CONCERNING A CONSUMER" MEANS A DECISION THAT RESULTS IN
THE PROVISION OR DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING,
INSURANCE, EDUCATION ENROLLMENT OR OPPORTUNITY, CRIMINAL JUSTICE,
EMPLOYMENT OPPORTUNITIES, HEALTH-CARE SERVICES, OR ACCESS TO
ESSENTIAL GOODS OR SERVICES.
(11) "DE-IDENTIFIED DATA" MEANS DATA THAT CANNOT
REASONABLY BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE
LINKED TO, AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL, OR A DEVICE
LINKED TO SUCH AN INDIVIDUAL, IF THE CONTROLLER THAT POSSESSES THE
DATA:
(a) TAKES REASONABLE MEASURES TO ENSURE THAT THE DATA
CANNOT BE ASSOCIATED WITH AN INDIVIDUAL;
(b) PUBLICLY COMMITS TO MAINTAIN AND USE THE DATA ONLY IN A
DE-IDENTIFIED FASHION AND NOT ATTEMPT TO RE-IDENTIFY THE DATA; AND
(c) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE
INFORMATION TO COMPLY WITH THE REQUIREMENTS OF THIS SUBSECTION
(11).
(12) "HEALTH-CARE FACILITY" MEANS ANY ENTITY THAT IS
LICENSED, CERTIFIED, OR OTHERWISE AUTHORIZED OR PERMITTED BY LAW
PAGE 5-SENATE BILL 21-190
TO ADMINISTER MEDICAL TREATMENT IN THIS STATE.
(13) "HEALTH-CARE INFORMATION" MEANS INDIVIDUALLY
IDENTIFIABLE INFORMATION RELATING TO THE PAST, PRESENT, OR FUTURE
HEALTH STATUS OF AN INDIVIDUAL.
(14) "HEALTH-CARE PROVIDER" MEANS A PERSON LICENSED,
CERTIFIED, OR REGISTERED IN THIS STATE TO PRACTICE MEDICINE,
PHARMACY, CHIROPRACTIC, NURSING, PHYSICAL THERAPY, PODIATRY,
DENTISTRY, OPTOMETRY, OCCUPATIONAL THERAPY, OR OTHER HEALING
ARTS UNDER TITLE 12.
(15) "HIPAA" MEANS THE FEDERAL "HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT OF 1996", AS AMENDED,42U.S.C.
SECS. 1320d TO 1320d-9.
(16) "IDENTIFIED OR IDENTIFIABLE INDIVIDUAL" MEANS AN
INDIVIDUAL WHO CAN BE READILY IDENTIFIED, DIRECTLY OR INDIRECTLY, IN
PARTICULAR BY REFERENCE TO AN IDENTIFIER SUCH AS A NAME, AN
IDENTIFICATION NUMBER, SPECIFIC GEOLOCATION DATA, OR AN ONLINE
IDENTIFIER.
(17) "PERSONAL DATA":
(a) MEANS INFORMATION THAT IS LINKED OR REASONABLY LINKABLE
TO AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL; AND
(b) DOES NOT INCLUDE DE-IDENTIFIED DATA OR PUBLICLY
AVAILABLE INFORMATION.AS USED IN THIS SUBSECTION (17)(b), "PUBLICLY
AVAILABLE INFORMATION" MEANS INFORMATION THAT IS LAWFULLY MADE
AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS AND
INFORMATION THAT A CONTROLLER HAS A REASONABLE BASIS TO BELIEVE
THE CONSUMER HAS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC.
(18) "PROCESS" OR "PROCESSING" MEANS THE COLLECTION, USE,
SALE, STORAGE, DISCLOSURE, ANALYSIS, DELETION, OR MODIFICATION OF
PERSONAL DATA AND INCLUDES THE ACTIONS OF A CONTROLLER DIRECTING
A PROCESSOR TO PROCESS PERSONAL DATA.
(19) "PROCESSOR" MEANS A PERSON THAT PROCESSES PERSONAL
PAGE 6-SENATE BILL 21-190
DATA ON BEHALF OF A CONTROLLER.
(20) "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING OF
PERSONAL DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS
CONCERNING AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL'S ECONOMIC
SITUATION, HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY,
BEHAVIOR, LOCATION, OR MOVEMENTS.
(21) "PROTECTED HEALTH INFORMATION" HAS THE MEANING
ESTABLISHED IN 45 CFR 160.103.
(22) "PSEUDONYMOUS DATA" MEANS PERSONAL DATA THAT CAN NO
LONGER BE ATTRIBUTED TO A SPECIFIC INDIVIDUAL WITHOUT THE USE OF
ADDITIONAL INFORMATION IF THE ADDITIONAL INFORMATION IS KEPT
SEPARATELY AND IS SUBJECT TO TECHNICAL AND ORGANIZATIONAL
MEASURES TO ENSURE THAT THE PERSONAL DATA ARE NOT ATTRIBUTED TO
A SPECIFIC INDIVIDUAL.
(23) (a) "SALE", "SELL", OR "SOLD" MEANS THE EXCHANGE OF
PERSONAL DATA FOR MONETARY OR OTHER VALUABLE CONSIDERATION BY
A CONTROLLER TO A THIRD PARTY.
(b) "SALE", "SELL", OR "SOLD" DOES NOT INCLUDE THE FOLLOWING:
(I) THE DISCLOSURE OF PERSONAL DATA TO A PROCESSOR THAT
PROCESSES THE PERSONAL DATA ON BEHALF OF A CONTROLLER;
(II) THE DISCLOSURE OF PERSONAL DATA TO A THIRD PARTY FOR
PURPOSES OF PROVIDING A PRODUCT OR SERVICE REQUESTED BY THE
CONSUMER;
(III) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO AN
AFFILIATE OF THE CONTROLLER;
(IV) THE DISCLOSURE OR TRANSFER TO A THIRD PARTY OF PERSONAL
DATA AS AN ASSET THAT IS PART OF A PROPOSED OR ACTUAL MERGER,
ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD
PARTY ASSUMES CONTROL OF ALL OR PART OF THE CONTROLLER'S ASSETS;
OR
PAGE 7-SENATE BILL 21-190
(V) THE DISCLOSURE OF PERSONAL DATA:
(A) THAT A CONSUMER DIRECTS THE CONTROLLER TO DISCLOSE OR
INTENTIONALLY DISCLOSES BY USING THE CONTROLLER TO INTERACT WITH
A THIRD PARTY; OR
(B) INTENTIONALLY MADE AVAILABLE BY A CONSUMER TO THE
GENERAL PUBLIC VIA A CHANNEL OF MASS MEDIA.
(24) "SENSITIVE DATA" MEANS:
(a) PERSONAL DATA REVEALING RACIAL OR ETHNIC ORIGIN,
RELIGIOUS BELIEFS, A MENTAL OR PHYSICAL HEALTH CONDITION OR
DIAGNOSIS, SEX LIFE OR SEXUAL ORIENTATION, OR CITIZENSHIP OR
CITIZENSHIP STATUS;
(b) GENETIC OR BIOMETRIC DATA THAT MAY BE PROCESSED FOR THE
PURPOSE OF UNIQUELY IDENTIFYING AN INDIVIDUAL; OR
(c) PERSONAL DATA FROM A KNOWN CHILD.
(25) "TARGETED ADVERTISING":
(a) MEANS DISPLAYING TO A CONSUMER AN ADVERTISEMENT THAT
IS SELECTED BASED ON PERSONAL DATA OBTAINED OR INFERRED OVER TIME
FROM THE CONSUMER'S ACTIVITIES ACROSS NONAFFILIATED WEBSITES,
APPLICATIONS, OR ONLINE SERVICES TO PREDICT CONSUMER PREFERENCES
OR INTERESTS; AND
(b) DOES NOT INCLUDE:
(I) ADVERTISING TO A CONSUMER IN RESPONSE TO THE CONSUMER'S
REQUEST FOR INFORMATION OR FEEDBACK;
(II) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A CONTROLLER'S
OWN WEBSITES OR ONLINE APPLICATIONS;
(III) ADVERTISEMENTS BASED ON THE CONTEXT OF A CONSUMER'S
CURRENT SEARCH QUERY, VISIT TO A WEBSITE, OR ONLINE APPLICATION; OR
PAGE 8-SENATE BILL 21-190
(IV) PROCESSING PERSONAL DATA SOLELY FOR MEASURING OR
REPORTING ADVERTISING PERFORMANCE, REACH, OR FREQUENCY.
(26) "THIRD PARTY" MEANS A PERSON, PUBLIC AUTHORITY, AGENCY,
OR BODY OTHER THAN A CONSUMER, CONTROLLER, PROCESSOR, OR
AFFILIATE OF THE PROCESSOR OR THE CONTROLLER.
6-1-1304. Applicability of part. (1) EXCEPT AS SPECIFIED IN
SUBSECTION (2) OF THIS SECTION, THIS PART 13 APPLIES TO A CONTROLLER
THAT:
(a) CONDUCTS BUSINESS IN COLORADO OR PRODUCES OR DELIVERS
COMMERCIAL PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED
TO RESIDENTS OF COLORADO; AND
(b) SATISFIES ONE OR BOTH OF THE FOLLOWING THRESHOLDS:
(I) CONTROLS OR PROCESSES THE PERSONAL DATA OF ONE HUNDRED
THOUSAND CONSUMERS OR MORE DURING A CALENDAR YEAR; OR
(II) DERIVES REVENUE OR RECEIVES A DISCOUNT ON THE PRICE OF
GOODS OR SERVICES FROM THE SALE OF PERSONAL DATA AND PROCESSES OR
CONTROLS THE PERSONAL DATA OF TWENTY-FIVE THOUSAND CONSUMERS OR
MORE.
(2) THIS PART 13 DOES NOT APPLY TO:
(a) PROTECTED HEALTH INFORMATION THAT IS COLLECTED, STORED,
AND PROCESSED BY A COVERED ENTITY OR ITS BUSINESS ASSOCIATES;
(b) HEALTH-CARE INFORMATION THAT IS GOVERNED BY PART 8 OF
ARTICLE 1 OF TITLE 25 SOLELY FOR THE PURPOSE OF ACCESS TO MEDICAL
RECORDS;
(c) PATIENT IDENTIFYING INFORMATION, AS DEFINED IN 42CFR2.11,
THAT ARE GOVERNED BY AND COLLECTED AND PROCESSED PURSUANT TO 42
CFR 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290dd-2;
(d) IDENTIFIABLE PRIVATE INFORMATION, AS DEFINED IN 45 CFR
46.102, FOR PURPOSES OF THE FEDERAL POLICY FOR THE PROTECTION OF
PAGE 9-SENATE BILL 21-190
HUMAN SUBJECTS PURSUANT TO 45 CFR 46; IDENTIFIABLE PRIVATE
INFORMATION THAT IS COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH
PURSUANT TO THE ICHE6GOOD CLINICAL PRACTICE GUIDELINE ISSUED BY
THE INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL
REQUIREMENTS FOR PHARMACEUTICALS FOR HUMAN USE OR THE
PROTECTION OF HUMAN SUBJECTS UNDER 21CFR50 AND 56; OR PERSONAL
DATA USED OR SHARED IN RESEARCH CONDUCTED IN ACCORDANCE WITH ONE
OR MORE OF THE CATEGORIES SET FORTH IN THIS SUBSECTION (2)(d);
(e) INFORMATION AND DOCUMENTS CREATED BY A COVERED ENTITY
FOR PURPOSES OF COMPLYING WITH HIPAA AND ITS IMPLEMENTING
REGULATIONS;
(f) PATIENT SAFETY WORK PRODUCT, AS DEFINED IN 42 CFR 3.20,
THAT IS CREATED FOR PURPOSES OF PATIENT SAFETY IMPROVEMENT
PURSUANT TO 42 CFR 3, ESTABLISHED PURSUANT TO 42 U.S.C. SECS.
299b-21 TO 299b-26;
(g) INFORMATION THAT IS:
(I) DE-IDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR
DE-IDENTIFICATION SET FORTH IN 45 CFR 164; AND
(II) DERIVED FROM ANY OF THE HEALTH-CARE-RELATED
INFORMATION DESCRIBED IN THIS SECTION.
(h) INFORMATION MAINTAINED IN THE SAME MANNER AS
INFORMATION UNDER SUBSECTIONS (2)(a) TO (2)(g) OF THIS SECTION BY:
(I) A COVERED ENTITY OR BUSINESS ASSOCIATE;
(II) A HEALTH-CARE FACILITY OR HEALTH-CARE PROVIDER; OR
(III) A PROGRAM OF A QUALIFIED SERVICE ORGANIZATION AS
DEFINED IN 42 CFR 2.11;
(i) (I) EXCEPT AS PROVIDED IN SUBSECTION (2)(i)(II) OF THIS
SECTION, AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE,
DISCLOSURE, SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA
BEARING ON A CONSUMER'S CREDITWORTHINESS, CREDIT STANDING, CREDIT
PAGE 10-SENATE BILL 21-190
CAPACITY, CHARACTER, GENERAL REPUTATION, PERSONAL
CHARACTERISTICS, OR MODE OF LIVING BY:
(A) A CONSUMER REPORTING AGENCY AS DEFINED IN 15 U.S.C. SEC.
1681a (f);
(B) A FURNISHER OF INFORMATION AS SET FORTH IN 15 U.S.C. SEC.
1681s-2 THAT PROVIDES INFORMATION FOR USE IN A CONSUMER REPORT, AS
DEFINED IN 15 U.S.C. SEC. 1681a (d); OR
(C) A USER OF A CONSUMER REPORT AS SET FORTH IN 15 U.S.C. SEC.
1681b.
(II) THIS SUBSECTION (2)(i) APPLIES ONLY TO THE EXTENT THAT THE
ACTIVITY IS REGULATED BY THE FEDERAL "FAIR CREDIT REPORTING ACT",
15 U.S.C. SEC. 1681 ET SEQ., AS AMENDED, AND THE PERSONAL DATA ARE
NOT COLLECTED, MAINTAINED, DISCLOSED, SOLD, COMMUNICATED, OR USED
EXCEPT AS AUTHORIZED BY THE FEDERAL "FAIR CREDIT REPORTING ACT",
AS AMENDED.
(j) PERSONAL DATA:
(I) COLLECTED AND MAINTAINED FOR PURPOSES OF ARTICLE 22 OF
TITLE 10;
(II) COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE
FEDERAL "GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ., AS
AMENDED, AND IMPLEMENTING REGULATIONS, IF THE COLLECTION,
PROCESSING, SALE, OR DISCLOSURE IS IN COMPLIANCE WITH THAT LAW;
(III) COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
THE FEDERAL "DRIVER'S PRIVACY PROTECTION ACT OF 1994", 18 U.S.C.
SEC. 2721 ET SEQ., AS AMENDED, IF THE COLLECTION, PROCESSING, SALE, OR
DISCLOSURE IS REGULATED BY THAT LAW, INCLUDING IMPLEMENTING RULES,
REGULATIONS, OR EXEMPTIONS;
(IV) REGULATED BY THE FEDERAL "CHILDREN'S ONLINE PRIVACY
PROTECTION ACT OF 1998", 15 U.S.C. SECS. 6501 TO 6506, AS AMENDED, IF
COLLECTED, PROCESSED, AND MAINTAINED IN COMPLIANCE WITH THAT LAW;
OR
PAGE 11-SENATE BILL 21-190
(V) REGULATED BY THE FEDERAL "FAMILY EDUCATIONAL RIGHTS
AND PRIVACY ACT OF 1974", 20 U.S.C. SEC. 1232g ET SEQ., AS AMENDED,
AND ITS IMPLEMENTING REGULATIONS;
(k) DATA MAINTAINED FOR EMPLOYMENT RECORDS PURPOSES;
(l) AN AIR CARRIER AS DEFINED IN AND REGULATED UNDER 49U.S.C.
SEC. 40101 ET SEQ., AS AMENDED, AND 49 U.S.C. SEC. 41713, AS AMENDED;
(m) A NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT
TO THE FEDERAL "SECURITIES EXCHANGE ACT OF 1934", 15 U.S.C. SEC.
78o-3, AS AMENDED, OR IMPLEMENTING REGULATIONS;
(n) CUSTOMER DATA MAINTAINED BY A PUBLIC UTILITY AS DEFINED
IN SECTION 40-1-103 (1)(a)(I) OR AN AUTHORITY AS DEFINED IN SECTION
43-4-503 (1), IF THE DATA ARE NOT COLLECTED, MAINTAINED, DISCLOSED,
SOLD, COMMUNICATED, OR USED EXCEPT AS AUTHORIZED BY STATE AND
FEDERAL LAW;
(o) DATA MAINTAINED BY A STATE INSTITUTION OF HIGHER
EDUCATION, AS DEFINED IN SECTION 23-18-102 (10), THE STATE, THE
JUDICIAL DEPARTMENT OF THE STATE, OR A COUNTY, CITY AND COUNTY, OR
MUNICIPALITY IF THE DATA IS COLLECTED, MAINTAINED, DISCLOSED,
COMMUNICATED, AND USED AS AUTHORIZED BY STATE AND FEDERAL LAW
FOR NONCOMMERCIAL PURPOSES.THIS SUBSECTION (2)(o) DOES NOT EFFECT
ANY OTHER EXEMPTION AVAILABLE UNDER THIS PART 13.
(p) INFORMATION USED AND DISCLOSED IN COMPLIANCE WITH 45
CFR 164.512; OR
(q) A FINANCIAL INSTITUTION OR AN AFFILIATE OF A FINANCIAL
INSTITUTION AS DEFINED BY AND THAT IS SUBJECT TO THE FEDERAL
"GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ., AS AMENDED,
AND IMPLEMENTING REGULATIONS, INCLUDING REGULATION P, 12 CFR
1016.
(3) THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS
UNDER THIS PART 13 DO NOT:
(a) RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO:
PAGE 12-SENATE BILL 21-190
(I) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR
REGULATIONS;
(II) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY,
INVESTIGATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR
OTHER GOVERNMENTAL AUTHORITIES;
(III) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY
AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL
LAW;
(IV) INVESTIGATE, EXERCISE, PREPARE FOR, OR DEFEND ACTUAL OR
ANTICIPATED LEGAL CLAIMS;
(V) CONDUCT INTERNAL RESEARCH TO IMPROVE, REPAIR, OR
DEVELOP PRODUCTS, SERVICES, OR TECHNOLOGY;
(VI) IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR
EXISTING OR INTENDED FUNCTIONALITY;
(VII) PERFORM INTERNAL OPERATIONS THAT ARE REASONABLY
ALIGNED WITH THE EXPECTATIONS OF THE CONSUMER BASED ON THE
CONSUMER'S EXISTING RELATIONSHIP WITH THE CONTROLLER;
(VIII) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED
BY A CONSUMER OR THE PARENT OR GUARDIAN OF A CHILD, PERFORM A
CONTRACT TO WHICH THE CONSUMER IS A PARTY, OR TAKE STEPS AT THE
REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT;
(IX) PROTECT THE VITAL INTERESTS OF THE CONSUMER OR OF
ANOTHER INDIVIDUAL;
(X) PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO SECURITY
INCIDENTS, IDENTITY THEFT, FRAUD, HARASSMENT, OR MALICIOUS,
DECEPTIVE, OR ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY
OF SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE
FOR ANY SUCH ACTION;
(XI) PROCESS PERSONAL DATA FOR REASONS OF PUBLIC INTEREST IN
PAGE 13-SENATE BILL 21-190
THE AREA OF PUBLIC HEALTH, BUT SOLELY TO THE EXTENT THAT THE
PROCESSING:
(A) IS SUBJECT TO SUITABLE AND SPECIFIC MEASURES TO SAFEGUARD
THE RIGHTS OF THE CONSUMER WHOSE PERSONAL DATA ARE PROCESSED;
AND
(B) IS UNDER THE RESPONSIBILITY OF A PROFESSIONAL SUBJECT TO
CONFIDENTIALITY OBLIGATIONS UNDER FEDERAL, STATE, OR LOCAL LAW; OR
(XII) ASSIST ANOTHER PERSON WITH ANY OF THE ACTIVITIES SET
FORTH IN THIS SUBSECTION (3);
(b) APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR
WITH THIS PART 13 WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER
COLORADO LAW;
(c) PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING
PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN
EVIDENTIARY PRIVILEGE UNDER COLORADO LAW AS PART OF A PRIVILEGED
COMMUNICATION;
(d) APPLY TO INFORMATION MADE AVAILABLE BY A THIRD PARTY
THAT THE CONTROLLER HAS A REASONABLE BASIS TO BELIEVE IS PROTECTED
SPEECH PURSUANT TO APPLICABLE LAW; AND
(e) APPLY TO THE PROCESSING OF PERSONAL DATA BY AN
INDIVIDUAL IN THE COURSE OF A PURELY PERSONAL OR HOUSEHOLD
ACTIVITY.
(4) PERSONAL DATA THAT ARE PROCESSED BY A CONTROLLER
PURSUANT TO AN EXCEPTION PROVIDED BY THIS SECTION:
(a) SHALL NOT BE PROCESSED FOR ANY PURPOSE OTHER THAN A
PURPOSE EXPRESSLY LISTED IN THIS SECTION OR AS OTHERWISE AUTHORIZED
BY THIS PART 13; AND
(b) SHALL BE PROCESSED SOLELY TO THE EXTENT THAT THE
PROCESSING IS NECESSARY, REASONABLE, AND PROPORTIONATE TO THE
SPECIFIC PURPOSE OR PURPOSES LISTED IN THIS SECTION OR AS OTHERWISE
PAGE 14-SENATE BILL 21-190
AUTHORIZED BY THIS PART 13.
(5) IF A CONTROLLER PROCESSES PERSONAL DATA PURSUANT TO AN
EXEMPTION IN THIS SECTION, THE CONTROLLER BEARS THE BURDEN OF
DEMONSTRATING THAT THE PROCESSING QUALIFIES FOR THE EXEMPTION AND
COMPLIES WITH THE REQUIREMENTS IN SUBSECTION (4) OF THIS SECTION.
6-1-1305. Responsibility according to role. (1) CONTROLLERS
AND PROCESSORS SHALL MEET THEIR RESPECTIVE OBLIGATIONS
ESTABLISHED UNDER THIS PART 13.
(2) PROCESSORS SHALL ADHERE TO THE INSTRUCTIONS OF THE
CONTROLLER AND ASSIST THE CONTROLLER TO MEET ITS OBLIGATIONS
UNDER THIS PART 13. TAKING INTO ACCOUNT THE NATURE OF PROCESSING
AND THE INFORMATION AVAILABLE TO THE PROCESSOR, THE PROCESSOR
SHALL ASSIST THE CONTROLLER BY:
(a) TAKING APPROPRIATE TECHNICAL AND ORGANIZATIONAL
MEASURES, INSOFAR AS THIS IS POSSIBLE, FOR THE FULFILLMENT OF THE
CONTROLLER'S OBLIGATION TO RESPOND TO CONSUMER REQUESTS TO
EXERCISE THEIR RIGHTS PURSUANT TO SECTION 6-1-1306;
(b) HELPING TO MEET THE CONTROLLER'S OBLIGATIONS IN RELATION
TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO
THE NOTIFICATION OF A BREACH OF THE SECURITY OF THE SYSTEM PURSUANT
TO SECTION 6-1-716; AND
(c) PROVIDING INFORMATION TO THE CONTROLLER NECESSARY TO
ENABLE THE CONTROLLER TO CONDUCT AND DOCUMENT ANY DATA
PROTECTION ASSESSMENTS REQUIRED BY SECTION 6-1-1309. THE
CONTROLLER AND PROCESSOR ARE EACH RESPONSIBLE FOR ONLY THE
MEASURES ALLOCATED TO THEM.
(3) NOTWITHSTANDING THE INSTRUCTIONS OF THE CONTROLLER, A
PROCESSOR SHALL:
(a) ENSURE THAT EACH PERSON PROCESSING THE PERSONAL DATA IS
SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA; AND
(b) ENGAGE A SUBCONTRACTOR ONLY AFTER PROVIDING THE
PAGE 15-SENATE BILL 21-190
CONTROLLER WITH AN OPPORTUNITY TO OBJECT AND PURSUANT TO A
WRITTEN CONTRACT IN ACCORDANCE WITH SUBSECTION (5) OF THIS SECTION
THAT REQUIRES THE SUBCONTRACTOR TO MEET THE OBLIGATIONS OF THE
PROCESSOR WITH RESPECT TO THE PERSONAL DATA.
(4) TAKING INTO ACCOUNT THE CONTEXT OF PROCESSING, THE
CONTROLLER AND THE PROCESSOR SHALL IMPLEMENT APPROPRIATE
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE A LEVEL OF
SECURITY APPROPRIATE TO THE RISK AND ESTABLISH A CLEAR ALLOCATION
OF THE RESPONSIBILITIES BETWEEN THEM TO IMPLEMENT THE MEASURES.
(5) PROCESSING BY A PROCESSOR MUST BE GOVERNED BY A
CONTRACT BETWEEN THE CONTROLLER AND THE PROCESSOR THAT IS
BINDING ON BOTH PARTIES AND THAT SETS OUT:
(a) THE PROCESSING INSTRUCTIONS TO WHICH THE PROCESSOR IS
BOUND, INCLUDING THE NATURE AND PURPOSE OF THE PROCESSING;
(b) THE TYPE OF PERSONAL DATA SUBJECT TO THE PROCESSING, AND
THE DURATION OF THE PROCESSING;
(c) THE REQUIREMENTS IMPOSED BY THIS SUBSECTION (5) AND
SUBSECTIONS (3) AND (4) OF THIS SECTION; AND
(d) THE FOLLOWING REQUIREMENTS:
(I) AT THE CHOICE OF THE CONTROLLER, THE PROCESSOR SHALL
DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS
REQUESTED AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION
OF THE PERSONAL DATA IS REQUIRED BY LAW;
(II) (A) THE PROCESSOR SHALL MAKE AVAILABLE TO THE
CONTROLLER ALL INFORMATION NECESSARY TO DEMONSTRATE COMPLIANCE
WITH THE OBLIGATIONS IN THIS PART 13; AND
(B) THE PROCESSOR SHALL ALLOW FOR, AND CONTRIBUTE TO,
REASONABLE AUDITS AND INSPECTIONS BY THE CONTROLLER OR THE
CONTROLLER'S DESIGNATED AUDITOR. ALTERNATIVELY, THE PROCESSOR
MAY, WITH THE CONTROLLER'S CONSENT, ARRANGE FOR A QUALIFIED AND
INDEPENDENT AUDITOR TO CONDUCT, AT LEAST ANNUALLY AND AT THE
PAGE 16-SENATE BILL 21-190
PROCESSOR'S EXPENSE, AN AUDIT OF THE PROCESSOR'S POLICIES AND
TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE
OBLIGATIONS UNDER THIS PART 13 USING AN APPROPRIATE AND ACCEPTED
CONTROL STANDARD OR FRAMEWORK AND AUDIT PROCEDURE FOR THE
AUDITS AS APPLICABLE. THE PROCESSOR SHALL PROVIDE A REPORT OF THE
AUDIT TO THE CONTROLLER UPON REQUEST.
(6) IN NO EVENT MAY A CONTRACT RELIEVE A CONTROLLER OR A
PROCESSOR FROM THE LIABILITIES IMPOSED ON THEM BY VIRTUE OF ITS ROLE
IN THE PROCESSING RELATIONSHIP AS DEFINED BY THIS PART 13.
(7) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER
OR PROCESSOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A
FACT-BASED DETERMINATION THAT DEPENDS UPON THE CONTEXT IN WHICH
PERSONAL DATA ARE TO BE PROCESSED. A PERSON THAT IS NOT LIMITED IN
ITS PROCESSING OF PERSONAL DATA PURSUANT TO A CONTROLLER'S
INSTRUCTIONS, OR THAT FAILS TO ADHERE TO THE INSTRUCTIONS, IS A
CONTROLLER AND NOT A PROCESSOR WITH RESPECT TO A SPECIFIC
PROCESSING OF DATA. A PROCESSOR THAT CONTINUES TO ADHERE TO A
CONTROLLER'S INSTRUCTIONS WITH RESPECT TO A SPECIFIC PROCESSING OF
PERSONAL DATA REMAINS A PROCESSOR.IF A PROCESSOR BEGINS, ALONE OR
JOINTLY WITH OTHERS, DETERMINING THE PURPOSES AND MEANS OF THE
PROCESSING OF PERSONAL DATA, IT IS A CONTROLLER WITH RESPECT TO THE
PROCESSING.
(8) (a) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL
DATA TO ANOTHER CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS
PART 13 DOES NOT VIOLATE THIS PART 13 IF THE RECIPIENT PROCESSES THE
PERSONAL DATA IN VIOLATION OF THIS PART 13, AND, AT THE TIME OF
DISCLOSING THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR
PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE RECIPIENT
INTENDED TO COMMIT A VIOLATION.
(b) A CONTROLLER OR PROCESSOR RECEIVING PERSONAL DATA FROM
A CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS PART 13 AS
SPECIFIED IN SUBSECTION (8)(a) OF THIS SECTION DOES NOT VIOLATE THIS
PART 13 IF THE CONTROLLER OR PROCESSOR FROM WHICH IT RECEIVES THE
PERSONAL DATA FAILS TO COMPLY WITH APPLICABLE OBLIGATIONS UNDER
THIS PART 13.
PAGE 17-SENATE BILL 21-190
6-1-1306. Consumer personal data rights - repeal.
(1) CONSUMERS MAY EXERCISE THE FOLLOWING RIGHTS BY SUBMITTING A
REQUEST USING THE METHODS SPECIFIED BY THE CONTROLLER IN THE
PRIVACY NOTICE REQUIRED UNDER SECTION 6-1-1308 (1)(a). THE METHOD
MUST TAKE INTO ACCOUNT THE WAYS IN WHICH CONSUMERS NORMALLY
INTERACT WITH THE CONTROLLER, THE NEED FOR SECURE AND RELIABLE
COMMUNICATION RELATING TO THE REQUEST, AND THE ABILITY OF THE
CONTROLLER TO AUTHENTICATE THE IDENTITY OF THE CONSUMER MAKING
THE REQUEST.CONTROLLERS SHALL NOT REQUIRE A CONSUMER TO CREATE
A NEW ACCOUNT IN ORDER TO EXERCISE CONSUMER RIGHTS PURSUANT TO
THIS SECTION BUT MAY REQUIRE A CONSUMER TO USE AN EXISTING
ACCOUNT. A CONSUMER MAY SUBMIT A REQUEST AT ANY TIME TO A
CONTROLLER SPECIFYING WHICH OF THE FOLLOWING RIGHTS THE CONSUMER
WISHES TO EXERCISE:
(a) Right to opt out. (I) A CONSUMER HAS THE RIGHT TO OPT OUT
OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER FOR
PURPOSES OF:
(A) TARGETED ADVERTISING;
(B) THE SALE OF PERSONAL DATA; OR
(C) PROFILING IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL
OR SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER.
(II) A CONSUMER MAY AUTHORIZE ANOTHER PERSON, ACTING ON THE
CONSUMER'S BEHALF, TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S
PERSONAL DATA FOR ONE OR MORE OF THE PURPOSES SPECIFIED IN
SUBSECTION (1)(a)(I) OF THIS SECTION, INCLUDING THROUGH A TECHNOLOGY
INDICATING THE CONSUMER'S INTENT TO OPT OUT SUCH AS A WEB LINK
INDICATING A PREFERENCE OR BROWSER SETTING, BROWSER EXTENSION, OR
GLOBAL DEVICE SETTING.A CONTROLLER SHALL COMPLY WITH AN OPT-OUT
REQUEST RECEIVED FROM A PERSON AUTHORIZED BY THE CONSUMER TO ACT
ON THE CONSUMER'S BEHALF IF THE CONTROLLER IS ABLE TO AUTHENTICATE,
WITH COMMERCIALLY REASONABLE EFFORT, THE IDENTITY OF THE
CONSUMER AND THE AUTHORIZED AGENT'S AUTHORITY TO ACT ON THE
CONSUMER'S BEHALF.
(III) A CONTROLLER THAT PROCESSES PERSONAL DATA FOR
PAGE 18-SENATE BILL 21-190
PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA
SHALL PROVIDE A CLEAR AND CONSPICUOUS METHOD TO EXERCISE THE
RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE
CONSUMER PURSUANT TO SUBSECTION (1)(a)(I) OF THIS SECTION. THE
CONTROLLER SHALL PROVIDE THE OPT-OUT METHOD CLEARLY AND
CONSPICUOUSLY IN ANY PRIVACY NOTICE REQUIRED TO BE PROVIDED TO
CONSUMERS UNDER THIS PART 13, AND IN A CLEAR, CONSPICUOUS, AND
READILY ACCESSIBLE LOCATION OUTSIDE THE PRIVACY NOTICE.
(IV) (A) A CONTROLLER THAT PROCESSES PERSONAL DATA FOR
PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA MAY
ALLOW CONSUMERS TO EXERCISE THE RIGHT TO OPT OUT OF THE PROCESSING
OF PERSONAL DATA CONCERNING THE CONSUMER FOR PURPOSES OF
TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO
SUBSECTIONS (1)(a)(I)(A) AND (1)(a)(I)(B) OF THIS SECTION BY
CONTROLLERS THROUGH A USER-SELECTED UNIVERSAL OPT-OUT MECHANISM
THAT MEETS THE TECHNICAL SPECIFICATIONS ESTABLISHED BY THE
ATTORNEY GENERAL PURSUANT TO SECTION 6-1-1313. THIS SUBSECTION
(1)(a)(IV)(A) IS REPEALED, EFFECTIVE JULY 1, 2024.
(B) EFFECTIVE JULY 1, 2024, A CONTROLLER THAT PROCESSES
PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF
PERSONAL DATA SHALL ALLOW CONSUMERS TO EXERCISE THE RIGHT TO OPT
OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER
FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA
PURSUANT TO SUBSECTIONS (1)(a)(I)(A) AND (1)(a)(I)(B) OF THIS SECTION
BY CONTROLLERS THROUGH A USER-SELECTED UNIVERSAL OPT-OUT
MECHANISM THAT MEETS THE TECHNICAL SPECIFICATIONS ESTABLISHED BY
THE ATTORNEY GENERAL PURSUANT TO SECTION 6-1-1313.
(C) NOTWITHSTANDING A CONSUMER'S DECISION TO EXERCISE THE
RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA THROUGH A
UNIVERSAL OPT-OUT MECHANISM PURSUANT TO SUBSECTION (1)(a)(IV)(B)
OF THIS SECTION, A CONTROLLER MAY ENABLE THE CONSUMER TO CONSENT,
THROUGH A WEB PAGE, APPLICATION, OR A SIMILAR METHOD, TO THE
PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR PURPOSES OF
TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA, AND THE
CONSENT TAKES PRECEDENCE OVER ANY CHOICE REFLECTED THROUGH THE
UNIVERSAL OPT-OUT MECHANISM. BEFORE OBTAINING A CONSUMER'S
CONSENT TO PROCESS PERSONAL DATA FOR PURPOSES OF TARGETED
PAGE 19-SENATE BILL 21-190
ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO THIS
SUBSECTION (1)(a)(IV)(C), A CONTROLLER SHALL PROVIDE THE CONSUMER
WITH A CLEAR AND CONSPICUOUS NOTICE INFORMING THE CONSUMER ABOUT
THE CHOICES AVAILABLE UNDER THIS SECTION, DESCRIBING THE CATEGORIES
OF PERSONAL DATA TO BE PROCESSED AND THE PURPOSES FOR WHICH THEY
WILL BE PROCESSED, AND EXPLAINING HOW AND WHERE THE CONSUMER MAY
WITHDRAW CONSENT. THE WEB PAGE, APPLICATION, OR OTHER MEANS BY
WHICH A CONTROLLER OBTAINS A CONSUMER'S CONSENT TO PROCESS
PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF
PERSONAL DATA MUST ALSO ALLOW THE CONSUMER TO REVOKE THE
CONSENT AS EASILY AS IT IS AFFIRMATIVELY PROVIDED.
(b) Right of access. A CONSUMER HAS THE RIGHT TO CONFIRM
WHETHER A CONTROLLER IS PROCESSING PERSONAL DATA CONCERNING THE
CONSUMER AND TO ACCESS THE CONSUMER'S PERSONAL DATA.
(c) Right to correction. A CONSUMER HAS THE RIGHT TO CORRECT
INACCURACIES IN THE CONSUMER'S PERSONAL DATA, TAKING INTO ACCOUNT
THE NATURE OF THE PERSONAL DATA AND THE PURPOSES OF THE PROCESSING
OF THE CONSUMER'S PERSONAL DATA.
(d) Right to deletion. A CONSUMER HAS THE RIGHT TO DELETE
PERSONAL DATA CONCERNING THE CONSUMER.
(e) Right to data portability. WHEN EXERCISING THE RIGHT TO
ACCESS PERSONAL DATA PURSUANT TO SUBSECTION (1)(b) OF THIS SECTION,
A CONSUMER HAS THE RIGHT TO OBTAIN THE PERSONAL DATA IN A PORTABLE
AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY USABLE FORMAT
THAT ALLOWS THE CONSUMER TO TRANSMIT THE DATA TO ANOTHER ENTITY
WITHOUT HINDRANCE. A CONSUMER MAY EXERCISE THIS RIGHT NO MORE
THAN TWO TIMES PER CALENDAR YEAR.NOTHING IN THIS SUBSECTION (1)(e)
REQUIRES A CONTROLLER TO PROVIDE THE DATA TO THE CONSUMER IN A
MANNER THAT WOULD DISCLOSE THE CONTROLLER'S TRADE SECRETS.
(2) Responding to consumer requests. (a) A CONTROLLER SHALL
INFORM A CONSUMER OF ANY ACTION TAKEN ON A REQUEST UNDER
SUBSECTION (1) OF THIS SECTION WITHOUT UNDUE DELAY AND, IN ANY
EVENT, WITHIN FORTY-FIVE DAYS AFTER RECEIPT OF THE REQUEST. THE
CONTROLLER MAY EXTEND THE FORTY-FIVE-DAY PERIOD BY FORTY-FIVE
ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT
PAGE 20-SENATE BILL 21-190
THE COMPLEXITY AND NUMBER OF THE REQUESTS.THE CONTROLLER SHALL
INFORM THE CONSUMER OF AN EXTENSION WITHIN FORTY-FIVE DAYS AFTER
RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY.
(b) IF A CONTROLLER DOES NOT TAKE ACTION ON THE REQUEST OF A
CONSUMER, THE CONTROLLER SHALL INFORM THE CONSUMER, WITHOUT
UNDUE DELAY AND, AT THE LATEST, WITHIN FORTY-FIVE DAYS AFTER
RECEIPT OF THE REQUEST, OF THE REASONS FOR NOT TAKING ACTION AND
INSTRUCTIONS FOR HOW TO APPEAL THE DECISION WITH THE CONTROLLER AS
DESCRIBED IN SUBSECTION (3) OF THIS SECTION.
(c) UPON REQUEST, A CONTROLLER SHALL PROVIDE TO THE
CONSUMER THE INFORMATION SPECIFIED IN THIS SECTION FREE OF CHARGE;
EXCEPT THAT, FOR A SECOND OR SUBSEQUENT REQUEST WITHIN A
TWELVE-MONTH PERIOD, THE CONTROLLER MAY CHARGE AN AMOUNT
CALCULATED IN THE MANNER SPECIFIED IN SECTION 24-72-205 (5)(a).
(d) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A REQUEST TO
EXERCISE ANY OF THE RIGHTS UNDER SUBSECTION (1) OF THIS SECTION IF
THE CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST USING
COMMERCIALLY REASONABLE EFFORTS, IN WHICH CASE THE CONTROLLER
MAY REQUEST THE PROVISION OF ADDITIONAL INFORMATION REASONABLY
NECESSARY TO AUTHENTICATE THE REQUEST.
(3) (a) A CONTROLLER SHALL ESTABLISH AN INTERNAL PROCESS
WHEREBY CONSUMERS MAY APPEAL A REFUSAL TO TAKE ACTION ON A
REQUEST TO EXERCISE ANY OF THE RIGHTS UNDER SUBSECTION (1) OF THIS
SECTION WITHIN A REASONABLE PERIOD AFTER THE CONSUMER'S RECEIPT OF
THE NOTICE SENT BY THE CONTROLLER UNDER SUBSECTION (2)(b) OF THIS
SECTION. THE APPEAL PROCESS MUST BE CONSPICUOUSLY AVAILABLE AND
AS EASY TO USE AS THE PROCESS FOR SUBMITTING A REQUEST UNDER THIS
SECTION.
(b) WITHIN FORTY-FIVE DAYS AFTER RECEIPT OF AN APPEAL, A
CONTROLLER SHALL INFORM THE CONSUMER OF ANY ACTION TAKEN OR NOT
TAKEN IN RESPONSE TO THE APPEAL, ALONG WITH A WRITTEN EXPLANATION
OF THE REASONS IN SUPPORT OF THE RESPONSE. THE CONTROLLER MAY
EXTEND THE FORTY-FIVE-DAY PERIOD BY SIXTY ADDITIONAL DAYS WHERE
REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND
NUMBER OF REQUESTS SERVING AS THE BASIS FOR THE APPEAL. THE
PAGE 21-SENATE BILL 21-190
CONTROLLER SHALL INFORM THE CONSUMER OF AN EXTENSION WITHIN
FORTY-FIVE DAYS AFTER RECEIPT OF THE APPEAL, TOGETHER WITH THE
REASONS FOR THE DELAY.
(c) THE CONTROLLER SHALL INFORM THE CONSUMER OF THE
CONSUMER'S ABILITY TO CONTACT THE ATTORNEY GENERAL IF THE
CONSUMER HAS CONCERNS ABOUT THE RESULT OF THE APPEAL.
6-1-1307. Processing de-identified data. (1) THIS PART 13 DOES
NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO ANY OF THE FOLLOWING
SOLELY FOR PURPOSES OF COMPLYING WITH THIS PART 13:
(a) REIDENTIFY DE-IDENTIFIED DATA;
(b) COMPLY WITH AN AUTHENTICATED CONSUMER REQUEST TO
ACCESS, CORRECT, DELETE, OR PROVIDE PERSONAL DATA IN A PORTABLE
FORMAT PURSUANT TO SECTION 6-1-1306 (1), IF ALL OF THE FOLLOWING ARE
TRUE:
(I) (A) THE CONTROLLER IS NOT REASONABLY CAPABLE OF
ASSOCIATING THE REQUEST WITH THE PERSONAL DATA; OR
(B) IT WOULD BE UNREASONABLY BURDENSOME FOR THE
CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA;
(II) THE CONTROLLER DOES NOT USE THE PERSONAL DATA TO
RECOGNIZE OR RESPOND TO THE SPECIFIC CONSUMER WHO IS THE SUBJECT OF
THE PERSONAL DATA OR ASSOCIATE THE PERSONAL DATA WITH OTHER
PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER; AND
(III) THE CONTROLLER DOES NOT SELL THE PERSONAL DATA TO ANY
THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE THE PERSONAL DATA
TO ANY THIRD PARTY, EXCEPT AS OTHERWISE AUTHORIZED BY THE
CONSUMER; OR
(c) MAINTAIN DATA IN IDENTIFIABLE FORM OR COLLECT, OBTAIN,
RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO ENABLE THE
CONTROLLER TO ASSOCIATE AN AUTHENTICATED CONSUMER REQUEST WITH
PERSONAL DATA.
PAGE 22-SENATE BILL 21-190
(2) A CONTROLLER THAT USES DE-IDENTIFIED DATA SHALL EXERCISE
REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY
CONTRACTUAL COMMITMENTS TO WHICH THE DE-IDENTIFIED DATA ARE
SUBJECT AND SHALL TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES
OF CONTRACTUAL COMMITMENTS.
(3) THE RIGHTS CONTAINED IN SECTION 6-1-1306 (1)(b) TO (1)(e) DO
NOT APPLY TO PSEUDONYMOUS DATA IF THE CONTROLLER CAN
DEMONSTRATE THAT THE INFORMATION NECESSARY TO IDENTIFY THE
CONSUMER IS KEPT SEPARATELY AND IS SUBJECT TO EFFECTIVE TECHNICAL
AND ORGANIZATIONAL CONTROLS THAT PREVENT THE CONTROLLER FROM
ACCESSING THE INFORMATION.
6-1-1308. Duties of controllers. (1) Duty of transparency. (a) A
CONTROLLER SHALL PROVIDE CONSUMERS WITH A REASONABLY ACCESSIBLE,
CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES:
(I) THE CATEGORIES OF PERSONAL DATA COLLECTED OR PROCESSED
BY THE CONTROLLER OR A PROCESSOR;
(II) THE PURPOSES FOR WHICH THE CATEGORIES OF PERSONAL DATA
ARE PROCESSED;
(III) HOW AND WHERE CONSUMERS MAY EXERCISE THE RIGHTS
PURSUANT TO SECTION 6-1-1306, INCLUDING THE CONTROLLER'S CONTACT
INFORMATION AND HOW A CONSUMER MAY APPEAL A CONTROLLER'S ACTION
WITH REGARD TO THE CONSUMER'S REQUEST;
(IV) THE CATEGORIES OF PERSONAL DATA THAT THE CONTROLLER
SHARES WITH THIRD PARTIES, IF ANY; AND
(V) THE CATEGORIES OF THIRD PARTIES, IF ANY, WITH WHOM THE
CONTROLLER SHARES PERSONAL DATA.
(b) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR
PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING, THE CONTROLLER
SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING,
AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT
TO OPT OUT OF THE SALE OR PROCESSING.
PAGE 23-SENATE BILL 21-190
(c) A CONTROLLER SHALL NOT:
(I) REQUIRE A CONSUMER TO CREATE A NEW ACCOUNT IN ORDER TO
EXERCISE A RIGHT; OR
(II) BASED SOLELY ON THE EXERCISE OF A RIGHT AND UNRELATED TO
FEASIBILITY OR THE VALUE OF A SERVICE, INCREASE THE COST OF, OR
DECREASE THE AVAILABILITY OF, THE PRODUCT OR SERVICE.
(d) NOTHING IN THIS PART 13 SHALL BE CONSTRUED TO REQUIRE A
CONTROLLER TO PROVIDE A PRODUCT OR SERVICE THAT REQUIRES THE
PERSONAL DATA OF A CONSUMER THAT THE CONTROLLER DOES NOT COLLECT
OR MAINTAIN OR TO PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT
PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A
CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE
OFFER IS RELATED TO A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA
FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNT, OR CLUB CARD
PROGRAM.
(2) Duty of purpose specification. A CONTROLLER SHALL SPECIFY
THE EXPRESS PURPOSES FOR WHICH PERSONAL DATA ARE COLLECTED AND
PROCESSED.
(3) Duty of data minimization. A CONTROLLER'S COLLECTION OF
PERSONAL DATA MUST BE ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS
REASONABLY NECESSARY IN RELATION TO THE SPECIFIED PURPOSES FOR
WHICH THE DATA ARE PROCESSED.
(4) Duty to avoid secondary use. A CONTROLLER SHALL NOT
PROCESS PERSONAL DATA FOR PURPOSES THAT ARE NOT REASONABLY
NECESSARY TO OR COMPATIBLE WITH THE SPECIFIED PURPOSES FOR WHICH
THE PERSONAL DATA ARE PROCESSED, UNLESS THE CONTROLLER FIRST
OBTAINS THE CONSUMER'S CONSENT.
(5) Duty of care. A CONTROLLER SHALL TAKE REASONABLE
MEASURES TO SECURE PERSONAL DATA DURING BOTH STORAGE AND USE
FROM UNAUTHORIZED ACQUISITION. THE DATA SECURITY PRACTICES MUST
BE APPROPRIATE TO THE VOLUME, SCOPE, AND NATURE OF THE PERSONAL
DATA PROCESSED AND THE NATURE OF THE BUSINESS.
PAGE 24-SENATE BILL 21-190
(6) Duty to avoid unlawful discrimination. A CONTROLLER SHALL
NOT PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL LAWS
THAT PROHIBIT UNLAWFUL DISCRIMINATION AGAINST CONSUMERS.
(7) Duty regarding sensitive data. A CONTROLLER SHALL NOT
PROCESS A CONSUMER'S SENSITIVE DATA WITHOUT FIRST OBTAINING THE
CONSUMER'S CONSENT OR, IN THE CASE OF THE PROCESSING OF PERSONAL
DATA CONCERNING A KNOWN CHILD, WITHOUT FIRST OBTAINING CONSENT
FROM THE CHILD'S PARENT OR LAWFUL GUARDIAN.
6-1-1309. Data protection assessments - attorney general access
and evaluation - definition. (1) A CONTROLLER SHALL NOT CONDUCT
PROCESSING THAT PRESENTS A HEIGHTENED RISK OF HARM TO A CONSUMER
WITHOUT CONDUCTING AND DOCUMENTING A DATA PROTECTION
ASSESSMENT OF EACH OF ITS PROCESSING ACTIVITIES THAT INVOLVE
PERSONAL DATA ACQUIRED ON OR AFTER THE EFFECTIVE DATE OF THIS
SECTION THAT PRESENT A HEIGHTENED RISK OF HARM TO A CONSUMER.
(2) FOR PURPOSES OF THIS SECTION, "PROCESSING THAT PRESENTS A
HEIGHTENED RISK OF HARM TO A CONSUMER" INCLUDES THE FOLLOWING:
(a) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED
ADVERTISING OR FOR PROFILING IF THE PROFILING PRESENTS A REASONABLY
FORESEEABLE RISK OF:
(I) UNFAIR OR DECEPTIVE TREATMENT OF, OR UNLAWFUL DISPARATE
IMPACT ON, CONSUMERS;
(II) FINANCIAL OR PHYSICAL INJURY TO CONSUMERS;
(III) A PHYSICAL OR OTHER INTRUSION UPON THE SOLITUDE OR
SECLUSION, OR THE PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS IF THE
INTRUSION WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR
(IV) OTHER SUBSTANTIAL INJURY TO CONSUMERS;
(b) SELLING PERSONAL DATA; AND
(c) PROCESSING SENSITIVE DATA.
PAGE 25-SENATE BILL 21-190
(3) DATA PROTECTION ASSESSMENTS MUST IDENTIFY AND WEIGH THE
BENEFITS THAT MAY FLOW, DIRECTLY AND INDIRECTLY, FROM THE
PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER STAKEHOLDERS,
AND THE PUBLIC AGAINST THE POTENTIAL RISKS TO THE RIGHTS OF THE
CONSUMER ASSOCIATED WITH THE PROCESSING, AS MITIGATED BY
SAFEGUARDS THAT THE CONTROLLER CAN EMPLOY TO REDUCE THE RISKS.
THE CONTROLLER SHALL FACTOR INTO THIS ASSESSMENT THE USE OF
DE-IDENTIFIED DATA AND THE REASONABLE EXPECTATIONS OF CONSUMERS,
AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATIONSHIP
BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA
WILL BE PROCESSED.
(4) A CONTROLLER SHALL MAKE THE DATA PROTECTION ASSESSMENT
AVAILABLE TO THE ATTORNEY GENERAL UPON REQUEST. THE ATTORNEY
GENERAL MAY EVALUATE THE DATA PROTECTION ASSESSMENT FOR
COMPLIANCE WITH THE DUTIES CONTAINED IN SECTION 6-1-1308 AND WITH
OTHER LAWS, INCLUDING THIS ARTICLE 1. DATA PROTECTION ASSESSMENTS
ARE CONFIDENTIAL AND EXEMPT FROM PUBLIC INSPECTION AND COPYING
UNDER THE "COLORADO OPEN RECORDS ACT", PART 2 OF ARTICLE 72 OF
TITLE 24.THE DISCLOSURE OF A DATA PROTECTION ASSESSMENT PURSUANT
TO A REQUEST FROM THE ATTORNEY GENERAL UNDER THIS SUBSECTION (4)
DOES NOT CONSTITUTE A WAIVER OF ANY ATTORNEY-CLIENT PRIVILEGE OR
WORK-PRODUCT PROTECTION THAT MIGHT OTHERWISE EXIST WITH RESPECT
TO THE ASSESSMENT AND ANY INFORMATION CONTAINED IN THE
ASSESSMENT.
(5) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A
COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR
ACTIVITIES.
(6) DATA PROTECTION ASSESSMENT REQUIREMENTS APPLY TO
PROCESSING ACTIVITIES CREATED OR GENERATED AFTER JULY 1, 2023, AND
ARE NOT RETROACTIVE.
6-1-1310. Liability. (1) NOTWITHSTANDING ANY PROVISION IN PART
1 OF THIS ARTICLE 1, THIS PART 13 DOES NOT AUTHORIZE A PRIVATE RIGHT
OF ACTION FOR A VIOLATION OF THIS PART 13 OR ANY OTHER PROVISION OF
LAW.THIS SUBSECTION (1) NEITHER RELIEVES ANY PARTY FROM ANY DUTIES
OR OBLIGATIONS IMPOSED, NOR ALTERS ANY INDEPENDENT RIGHTS THAT
CONSUMERS HAVE, UNDER OTHER LAWS, INCLUDING THIS ARTICLE 1, THE
PAGE 26-SENATE BILL 21-190
STATE CONSTITUTION, OR THE UNITED STATES CONSTITUTION.
(2) WHERE MORE THAN ONE CONTROLLER OR PROCESSOR, OR BOTH
A CONTROLLER AND A PROCESSOR, INVOLVED IN THE SAME PROCESSING
VIOLATES THIS PART 13, THE LIABILITY SHALL BE ALLOCATED AMONG THE
PARTIES ACCORDING TO PRINCIPLES OF COMPARATIVE FAULT.
6-1-1311. Enforcement - penalties - repeal.
(1) (a) NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE 1, THE
ATTORNEY GENERAL AND DISTRICT ATTORNEYS HAVE EXCLUSIVE
AUTHORITY TO ENFORCE THIS PART 13 BY BRINGING AN ACTION IN THE NAME
OF THE STATE OR AS PARENS PATRIAE ON BEHALF OF PERSONS RESIDING IN
THE STATE TO ENFORCE THIS PART 13 AS PROVIDED IN THIS ARTICLE 1,
INCLUDING SEEKING AN INJUNCTION TO ENJOIN A VIOLATION OF THIS PART
13.
(b) NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE 1,
NOTHING IN THIS PART 13 SHALL BE CONSTRUED AS PROVIDING THE BASIS
FOR, OR BEING SUBJECT TO, A PRIVATE RIGHT OF ACTION FOR VIOLATIONS OF
THIS PART 13 OR ANY OTHER LAW.
(c) FOR PURPOSES ONLY OF ENFORCEMENT OF THIS PART 13 BY THE
ATTORNEY GENERAL OR A DISTRICT ATTORNEY, A VIOLATION OF THIS PART
13 IS A DECEPTIVE TRADE PRACTICE.
(d) PRIOR TO ANY ENFORCEMENT ACTION PURSUANT TO SUBSECTION
(1)(a) OF THIS SECTION, THE ATTORNEY GENERAL OR DISTRICT ATTORNEY
MUST ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER IF A CURE IS
DEEMED POSSIBLE. IF THE CONTROLLER FAILS TO CURE THE VIOLATION
WITHIN SIXTY DAYS AFTER RECEIPT OF THE NOTICE OF VIOLATION, AN
ACTION MAY BE BROUGHT PURSUANT TO THIS SECTION. THIS SUBSECTION
(1)(d) IS REPEALED, EFFECTIVE JANUARY 1, 2025.
(2) THE STATE TREASURER SHALL CREDIT ALL RECEIPTS FROM THE
IMPOSITION OF CIVIL PENALTIES UNDER THIS PART 13 PURSUANT TO SECTION
24-31-108.
6-1-1312. Preemption - local governments. THIS PART 13
SUPERSEDES AND PREEMPTS LAWS, ORDINANCES, RESOLUTIONS,
REGULATIONS, OR THE EQUIVALENT ADOPTED BY ANY STATUTORY OR HOME
PAGE 27-SENATE BILL 21-190
RULE MUNICIPALITY, COUNTY, OR CITY AND COUNTY REGARDING THE
PROCESSING OF PERSONAL DATA BY CONTROLLERS OR PROCESSORS.
6-1-1313. Rules - opt-out mechanism. (1) THE ATTORNEY
GENERAL MAY PROMULGATE RULES FOR THE PURPOSE OF CARRYING OUT
THIS PART 13.
(2) BY JULY 1, 2023, THE ATTORNEY GENERAL SHALL ADOPT RULES
THAT DETAIL THE TECHNICAL SPECIFICATIONS FOR ONE OR MORE UNIVERSAL
OPT-OUT MECHANISMS THAT CLEARLY COMMUNICATE A CONSUMER'S
AFFIRMATIVE, FREELY GIVEN, AND UNAMBIGUOUS CHOICE TO OPT OUT OF
THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF TARGETED
ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO SECTION
6-1-1306 (1)(a)(I)(A) OR (1)(a)(I)(B). THE ATTORNEY GENERAL MAY
UPDATE THE RULES THAT DETAIL THE TECHNICAL SPECIFICATIONS FOR THE
MECHANISMS FROM TIME TO TIME TO REFLECT THE MEANS BY WHICH
CONSUMERS INTERACT WITH CONTROLLERS. THE RULES MUST:
(a) NOT PERMIT THE MANUFACTURER OF A PLATFORM, BROWSER,
DEVICE, OR ANY OTHER PRODUCT OFFERING A UNIVERSAL OPT-OUT
MECHANISM TO UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER;
(b) REQUIRE CONTROLLERS TO INFORM CONSUMERS ABOUT THE
OPT-OUT CHOICES AVAILABLE UNDER SECTION 6-1-1306 (1)(a)(I);
(c) NOT ADOPT A MECHANISM THAT IS A DEFAULT SETTING, BUT
RATHER CLEARLY REPRESENTS THE CONSUMER'S AFFIRMATIVE, FREELY
GIVEN, AND UNAMBIGUOUS CHOICE TO OPT OUT OF THE PROCESSING OF
PERSONAL DATA PURSUANT TO SECTION 6-1-1306 (1)(a)(I)(A) OR
(1)(a)(I)(B);
(d) ADOPT A MECHANISM THAT IS CONSUMER-FRIENDLY, CLEARLY
DESCRIBED, AND EASY TO USE BY THE AVERAGE CONSUMER;
(e) ADOPT A MECHANISM THAT IS AS CONSISTENT AS POSSIBLE WITH
ANY OTHER SIMILAR MECHANISM REQUIRED BY LAW OR REGULATION IN THE
UNITED STATES; AND
(f) PERMIT THE CONTROLLER TO ACCURATELY AUTHENTICATE THE
CONSUMER AS A RESIDENT OF THIS STATE AND DETERMINE THAT THE
PAGE 28-SENATE BILL 21-190
MECHANISM REPRESENTS A LEGITIMATE REQUEST TO OPT OUT OF THE
PROCESSING OF PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING
OR THE SALE OF PERSONAL DATA PURSUANT TO SECTION 6-1-1306
(1)(a)(I)(A) OR (1)(a)(I)(B).
(3) BY JANUARY 1, 2025, THE ATTORNEY GENERAL MAY ADOPT
RULES THAT GOVERN THE PROCESS OF ISSUING OPINION LETTERS AND
INTERPRETIVE GUIDANCE TO DEVELOP AN OPERATIONAL FRAMEWORK FOR
BUSINESS THAT INCLUDES A GOOD FAITH RELIANCE DEFENSE OF AN ACTION
THAT MAY OTHERWISE CONSTITUTE A VIOLATION OF THIS PART 13. THE
RULES MUST BECOME EFFECTIVE BY JULY 1, 2025.
SECTION 2. In Colorado Revised Statutes, amend 6-1-104 as
follows:
6-1-104. Cooperative reporting. The district attorneys may
cooperate in a statewide reporting system by receiving, on forms provided
by the attorney general, complaints from persons concerning deceptive trade
practices listed in section 6-1-105 and OR part 7 OR 13 of this article
ARTICLE 1 and transmitting such THE complaints to the attorney general.
SECTION 3. In Colorado Revised Statutes, 6-1-105, add (1)(nnn)
as follows:
6-1-105. Unfair or deceptive trade practices. (1) A person
engages in a deceptive trade practice when, in the course of the person's
business, vocation, or occupation, the person:
(nnn) VIOLATES ANY PROVISION OF PART 13 OF THIS ARTICLE 1 AS
SPECIFIED IN SECTION 6-1-1311 (1)(c).
SECTION 4. In Colorado Revised Statutes, 6-1-107, amend (1)
introductory portion as follows:
6-1-107. Powers of attorney general and district attorneys.
(1) When the attorney general or a district attorney has reasonable cause to
believe that any person, whether in this state or elsewhere, has engaged in
or is engaging in any deceptive trade practice listed in section 6-1-105 or
part 7 OR 13 of this article ARTICLE 1, the attorney general or district
attorney may:
PAGE 29-SENATE BILL 21-190
SECTION 5. In Colorado Revised Statutes, 6-1-108, amend (1) as
follows:
6-1-108. Subpoenas - hearings - rules. (1) When the attorney
general or a district attorney has reasonable cause to believe that a person,
whether in this state or elsewhere, has engaged in or is engaging in a
deceptive trade practice listed in section 6-1-105 or part 7 OR 13 of this
article 1, the attorney general or a district attorney, in addition to other
powers conferred upon him or her THE ATTORNEY GENERAL OR A DISTRICT
ATTORNEY by this article 1, may issue subpoenas to require the attendance
of witnesses or the production of documents, administer oaths, conduct
hearings in aid of any investigation or inquiry, and prescribe such forms and
promulgate such rules as may be necessary to administer the provisions of
this article 1.
SECTION 6. In Colorado Revised Statutes, 6-1-110, amend (1)
and (2) as follows:
6-1-110. Restraining orders - injunctions - assurances of
discontinuance. (1) Whenever the attorney general or a district attorney
has cause to believe that a person has engaged in or is engaging in any
deceptive trade practice listed in section 6-1-105 or part 7 OR 13 of this
article ARTICLE 1, the attorney general or district attorney may apply for and
obtain, in an action in the appropriate district court of this state, a temporary
restraining order or injunction, or both, pursuant to the Colorado rules of
civil procedure, prohibiting such THE person from continuing such THE
practices, or engaging therein, or doing any act in furtherance thereof. The
court may make such orders or judgments as may be necessary to prevent
the use or employment by such THE person of any such deceptive trade
practice or which THAT may be necessary to completely compensate or
restore to the original position of any person injured by means of any such
practice or to prevent any unjust enrichment by any person through the use
or employment of any deceptive trade practice.
(2) Where the attorney general or a district attorney has authority to
institute a civil action or other proceeding pursuant to the provisions of this
article ARTICLE 1, the attorney general or district attorney may accept, in lieu
thereof or as a part thereof, an assurance of discontinuance of any deceptive
trade practice listed in section 6-1-105 or part 7 OR 13 of this article. Such
ARTICLE 1. THE assurance may include a stipulation for the voluntary
PAGE 30-SENATE BILL 21-190
payment by the alleged violator of the costs of investigation and any action
or proceeding by the attorney general or a district attorney and any amount
necessary to restore to any person any money or property that may have
been acquired by such THE alleged violator by means of any such deceptive
trade practice. Any such assurance of discontinuance accepted by the
attorney general or a district attorney and any such stipulation filed with the
court as a part of any such action or proceeding shall be IS a matter of public
record unless the attorney general or the district attorney determines, at his
or her THE discretion OF THE ATTORNEY GENERAL OR DISTRICT ATTORNEY,
that it will be confidential to the parties to the action or proceeding and to
the court and its employees. Upon the filing of a civil action by the attorney
general or a district attorney alleging that a confidential assurance of
discontinuance or stipulation accepted pursuant to this subsection (2) has
been violated, said THE assurance of discontinuance or stipulation shall
thereupon be deemed BECOMES a public record and open to inspection by
any person. Proof by a preponderance of the evidence of a violation of any
such assurance or stipulation shall constitute CONSTITUTES prima facie
evidence of a deceptive trade practice for the purposes of any civil action
or proceeding brought thereafter by the attorney general or a district
attorney, whether a new action or a subsequent motion or petition in any
pending action or proceeding.
SECTION 7. Act subject to petition - effective date -
applicability. (1) This act takes effect July 1, 2023; except that, if a
referendum petition is filed pursuant to section 1 (3) of article V of the state
constitution against this act or an item, section, or part of this act within the
ninety-day period after final adjournment of the general assembly, then the
act, item, section, or part will not take effect unless approved by the people
at the general election to be held in November 2022 and, in such case, will
take effect July 1, 2023, or on the date of the official declaration of the vote
thereon by the governor, whichever is later.
PAGE 31-SENATE BILL 21-190
(2) This act applies to conduct occurring on or after the applicable
effective date of this act.
____________________________ ____________________________
Leroy M. Garcia Alec Garnett
PRESIDENT OF SPEAKER OF THE HOUSE
THE SENATE OF REPRESENTATIVES
____________________________ ____________________________
Cindi L. Markwell Robin Jones
SECRETARY OF CHIEF CLERK OF THE HOUSE
THE SENATE OF REPRESENTATIVES
APPROVED________________________________________
(Date and Time)
_________________________________________
Jared S. Polis
GOVERNOR OF THE STATE OF COLORADO
PAGE 32-SENATE BILL 21-190
BY SENATOR(S) Rodriguez and Lundeen, Bridges, Buckner, Coleman,
Cooke, Danielson, Donovan, Fenberg, Gardner, Ginal, Gonzales, Hansen,
Hisey, Holbert, Jaquez Lewis, Kirkmeyer, Kolker, Lee, Liston, Moreno,
Pettersen, Priola, Rankin, Scott, Simpson, Sonnenberg, Story, Winter,
Woodward, Garcia;
also REPRESENTATIVE(S) Duran and Carver, Bernett, Bird, Cutter,
Exum, Gonzales-Gutierrez, Gray, Herod, Jodeh, Lynch, McCluskie,
McCormick, Mullica, Ricks, Snyder, Titone, Valdez A., Woodrow.
CONCERNING ADDITIONAL PROTECTION OF DATA RELATING TO PERSONAL
PRIVACY.
Be it enacted by the General Assembly of the State of Colorado:
SECTION 1. In Colorado Revised Statutes, add part 13 to article
1 of title 6 as follows:
PART 13
COLORADO PRIVACY ACT
6-1-1301. Short title. THE SHORT TITLE OF THIS PART 13 IS THE
"COLORADO PRIVACY ACT".
NOTE: This bill has been prepared for the signatures of the appropriate legislative
officers and the Governor. To determine whether the Governor has signed the bill
or taken other action on it, please consult the legislative status sheet, the legislative
history, or the Session Laws.
________
Capital letters or bold & italic numbers indicate new material added to existing law; dashes
through words or numbers indicate deletions from existing law and such material is not part of
the act.
6-1-1302. Legislative declaration. (1) THE GENERAL ASSEMBLY
HEREBY:
(a) FINDS THAT:
(I) THE PEOPLE OF COLORADO REGARD THEIR PRIVACY AS A
FUNDAMENTAL RIGHT AND AN ESSENTIAL ELEMENT OF THEIR INDIVIDUAL
FREEDOM;
(II) COLORADO'S CONSTITUTION EXPLICITLY PROVIDES THE RIGHT TO
PRIVACY UNDER SECTION 7 OF ARTICLE II, AND FUNDAMENTAL PRIVACY
RIGHTS HAVE LONG BEEN, AND CONTINUE TO BE, INTEGRAL TO PROTECTING
COLORADANS AND TO SAFEGUARDING OUR DEMOCRATIC REPUBLIC;
(III) ONGOING ADVANCES IN TECHNOLOGY HAVE PRODUCED
EXPONENTIAL GROWTH IN THE VOLUME AND VARIETY OF PERSONAL DATA
BEING GENERATED, COLLECTED, STORED, AND ANALYZED AND THESE
ADVANCES PRESENT BOTH PROMISE AND POTENTIAL PERIL;
(IV) THE ABILITY TO HARNESS AND USE DATA IN POSITIVE WAYS IS
DRIVING INNOVATION AND BRINGS BENEFICIAL TECHNOLOGIES TO SOCIETY,
BUT IT HAS ALSO CREATED RISKS TO PRIVACY AND FREEDOM; AND
(V) THE UNAUTHORIZED DISCLOSURE OF PERSONAL INFORMATION
AND LOSS OF PRIVACY CAN HAVE DEVASTATING IMPACTS RANGING FROM
FINANCIAL FRAUD, IDENTITY THEFT, AND UNNECESSARY COSTS IN PERSONAL
TIME AND FINANCES TO DESTRUCTION OF PROPERTY, HARASSMENT,
REPUTATIONAL DAMAGE, EMOTIONAL DISTRESS, AND PHYSICAL HARM;
(b) DETERMINES THAT:
(I) TECHNOLOGICAL INNOVATION AND NEW USES OF DATA CAN HELP
SOLVE SOCIETAL PROBLEMS AND IMPROVE LIVES, AND IT IS POSSIBLE TO
BUILD A WORLD WHERE TECHNOLOGICAL INNOVATION AND PRIVACY CAN
COEXIST; AND
(II) STATES ACROSS THE UNITED STATES ARE LOOKING TO THIS PART
13 AND SIMILAR MODELS TO ENACT STATE-BASED DATA PRIVACY
REQUIREMENTS AND TO EXERCISE THE LEADERSHIP THAT IS LACKING AT THE
PAGE 2-SENATE BILL 21-190
NATIONAL LEVEL; AND
(c) DECLARES THAT:
(I) BY ENACTING THIS PART 13, COLORADO WILL BE AMONG THE
STATES THAT EMPOWER CONSUMERS TO PROTECT THEIR PRIVACY AND
REQUIRE COMPANIES TO BE RESPONSIBLE CUSTODIANS OF DATA AS THEY
CONTINUE TO INNOVATE;
(II) THIS PART 13 ADDRESSES ISSUES OF STATEWIDE CONCERN AND:
(A) PROVIDES CONSUMERS THE RIGHT TO ACCESS, CORRECT, AND
DELETE PERSONAL DATA AND THE RIGHT TO OPT OUT NOT ONLY OF THE SALE
OF PERSONAL DATA BUT ALSO OF THE COLLECTION AND USE OF PERSONAL
DATA;
(B) IMPOSES AN AFFIRMATIVE OBLIGATION UPON COMPANIES TO
SAFEGUARD PERSONAL DATA; TO PROVIDE CLEAR, UNDERSTANDABLE, AND
TRANSPARENT INFORMATION TO CONSUMERS ABOUT HOW THEIR PERSONAL
DATA ARE USED; AND TO STRENGTHEN COMPLIANCE AND ACCOUNTABILITY
BY REQUIRING DATA PROTECTION ASSESSMENTS IN THE COLLECTION AND USE
OF PERSONAL DATA; AND
(C) EMPOWERS THE ATTORNEY GENERAL AND DISTRICT ATTORNEYS
TO ACCESS AND EVALUATE A COMPANY'S DATA PROTECTION ASSESSMENTS,
TO IMPOSE PENALTIES WHERE VIOLATIONS OCCUR, AND TO PREVENT FUTURE
VIOLATIONS.
6-1-1303. Definitions. AS USED IN THIS PART 13, UNLESS THE
CONTEXT OTHERWISE REQUIRES:
(1) "AFFILIATE" MEANS A LEGAL ENTITY THAT CONTROLS, IS
CONTROLLED BY, OR IS UNDER COMMON CONTROL WITH ANOTHER LEGAL
ENTITY. AS USED IN THIS SUBSECTION (1), "CONTROL" MEANS:
(a) OWNERSHIP OF, CONTROL OF, OR POWER TO VOTE TWENTY-FIVE
PERCENT OR MORE OF THE OUTSTANDING SHARES OF ANY CLASS OF VOTING
SECURITY OF THE ENTITY, DIRECTLY OR INDIRECTLY, OR ACTING THROUGH
ONE OR MORE OTHER PERSONS;
PAGE 3-SENATE BILL 21-190
(b) CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY
OF THE DIRECTORS, TRUSTEES, OR GENERAL PARTNERS OF THE ENTITY OR OF
INDIVIDUALS EXERCISING SIMILAR FUNCTIONS; OR
(c) THE POWER TO EXERCISE, DIRECTLY OR INDIRECTLY, A
CONTROLLING INFLUENCE OVER THE MANAGEMENT OR POLICIES OF THE
ENTITY AS DETERMINED BY THE APPLICABLE PRUDENTIAL REGULATOR, AS
THAT TERM IS DEFINED IN 12 U.S.C. SEC. 5481 (24), IF ANY.
(2) "AUTHENTICATE" MEANS TO USE REASONABLE MEANS TO
DETERMINE THAT A REQUEST TO EXERCISE ANY OF THE RIGHTS IN SECTION
6-1-1306 (1) IS BEING MADE BY OR ON BEHALF OF THE CONSUMER WHO IS
ENTITLED TO EXERCISE THE RIGHTS.
(3) "BUSINESS ASSOCIATE" HAS THE MEANING ESTABLISHED IN 45
CFR 160.103.
(4) "CHILD" MEANS AN INDIVIDUAL UNDER THIRTEEN YEARS OF AGE.
(5) "CONSENT" MEANS A CLEAR, AFFIRMATIVE ACT SIGNIFYING A
CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
AGREEMENT, SUCH AS BY A WRITTEN STATEMENT, INCLUDING BY
ELECTRONIC MEANS, OR OTHER CLEAR, AFFIRMATIVE ACTION BY WHICH THE
CONSUMER SIGNIFIES AGREEMENT TO THE PROCESSING OF PERSONAL DATA.
THE FOLLOWING DOES NOT CONSTITUTE CONSENT:
(a) ACCEPTANCE OF A GENERAL OR BROAD TERMS OF USE OR SIMILAR
DOCUMENT THAT CONTAINS DESCRIPTIONS OF PERSONAL DATA PROCESSING
ALONG WITH OTHER, UNRELATED INFORMATION;
(b) HOVERING OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE
OF CONTENT; AND
(c) AGREEMENT OBTAINED THROUGH DARK PATTERNS.
(6) "CONSUMER":
(a) MEANS AN INDIVIDUAL WHO IS A COLORADO RESIDENT ACTING
ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT; AND
PAGE 4-SENATE BILL 21-190
(b) DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A COMMERCIAL OR
EMPLOYMENT CONTEXT, AS A JOB APPLICANT, OR AS A BENEFICIARY OF
SOMEONE ACTING IN AN EMPLOYMENT CONTEXT.
(7) "CONTROLLER" MEANS A PERSON THAT, ALONE OR JOINTLY WITH
OTHERS, DETERMINES THE PURPOSES FOR AND MEANS OF PROCESSING
PERSONAL DATA.
(8) "COVERED ENTITY" HAS THE MEANING ESTABLISHED IN 45 CFR
160.103.
(9) "DARK PATTERN" MEANS A USER INTERFACE DESIGNED OR
MANIPULATED WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR
IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE.
(10) "DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
EFFECTS CONCERNING A CONSUMER" MEANS A DECISION THAT RESULTS IN
THE PROVISION OR DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING,
INSURANCE, EDUCATION ENROLLMENT OR OPPORTUNITY, CRIMINAL JUSTICE,
EMPLOYMENT OPPORTUNITIES, HEALTH-CARE SERVICES, OR ACCESS TO
ESSENTIAL GOODS OR SERVICES.
(11) "DE-IDENTIFIED DATA" MEANS DATA THAT CANNOT
REASONABLY BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE
LINKED TO, AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL, OR A DEVICE
LINKED TO SUCH AN INDIVIDUAL, IF THE CONTROLLER THAT POSSESSES THE
DATA:
(a) TAKES REASONABLE MEASURES TO ENSURE THAT THE DATA
CANNOT BE ASSOCIATED WITH AN INDIVIDUAL;
(b) PUBLICLY COMMITS TO MAINTAIN AND USE THE DATA ONLY IN A
DE-IDENTIFIED FASHION AND NOT ATTEMPT TO RE-IDENTIFY THE DATA; AND
(c) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE
INFORMATION TO COMPLY WITH THE REQUIREMENTS OF THIS SUBSECTION
(11).
(12) "HEALTH-CARE FACILITY" MEANS ANY ENTITY THAT IS
LICENSED, CERTIFIED, OR OTHERWISE AUTHORIZED OR PERMITTED BY LAW
PAGE 5-SENATE BILL 21-190
TO ADMINISTER MEDICAL TREATMENT IN THIS STATE.
(13) "HEALTH-CARE INFORMATION" MEANS INDIVIDUALLY
IDENTIFIABLE INFORMATION RELATING TO THE PAST, PRESENT, OR FUTURE
HEALTH STATUS OF AN INDIVIDUAL.
(14) "HEALTH-CARE PROVIDER" MEANS A PERSON LICENSED,
CERTIFIED, OR REGISTERED IN THIS STATE TO PRACTICE MEDICINE,
PHARMACY, CHIROPRACTIC, NURSING, PHYSICAL THERAPY, PODIATRY,
DENTISTRY, OPTOMETRY, OCCUPATIONAL THERAPY, OR OTHER HEALING
ARTS UNDER TITLE 12.
(15) "HIPAA" MEANS THE FEDERAL "HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT OF 1996", AS AMENDED,42U.S.C.
SECS. 1320d TO 1320d-9.
(16) "IDENTIFIED OR IDENTIFIABLE INDIVIDUAL" MEANS AN
INDIVIDUAL WHO CAN BE READILY IDENTIFIED, DIRECTLY OR INDIRECTLY, IN
PARTICULAR BY REFERENCE TO AN IDENTIFIER SUCH AS A NAME, AN
IDENTIFICATION NUMBER, SPECIFIC GEOLOCATION DATA, OR AN ONLINE
IDENTIFIER.
(17) "PERSONAL DATA":
(a) MEANS INFORMATION THAT IS LINKED OR REASONABLY LINKABLE
TO AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL; AND
(b) DOES NOT INCLUDE DE-IDENTIFIED DATA OR PUBLICLY
AVAILABLE INFORMATION.AS USED IN THIS SUBSECTION (17)(b), "PUBLICLY
AVAILABLE INFORMATION" MEANS INFORMATION THAT IS LAWFULLY MADE
AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS AND
INFORMATION THAT A CONTROLLER HAS A REASONABLE BASIS TO BELIEVE
THE CONSUMER HAS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC.
(18) "PROCESS" OR "PROCESSING" MEANS THE COLLECTION, USE,
SALE, STORAGE, DISCLOSURE, ANALYSIS, DELETION, OR MODIFICATION OF
PERSONAL DATA AND INCLUDES THE ACTIONS OF A CONTROLLER DIRECTING
A PROCESSOR TO PROCESS PERSONAL DATA.
(19) "PROCESSOR" MEANS A PERSON THAT PROCESSES PERSONAL
PAGE 6-SENATE BILL 21-190
DATA ON BEHALF OF A CONTROLLER.
(20) "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING OF
PERSONAL DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS
CONCERNING AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL'S ECONOMIC
SITUATION, HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY,
BEHAVIOR, LOCATION, OR MOVEMENTS.
(21) "PROTECTED HEALTH INFORMATION" HAS THE MEANING
ESTABLISHED IN 45 CFR 160.103.
(22) "PSEUDONYMOUS DATA" MEANS PERSONAL DATA THAT CAN NO
LONGER BE ATTRIBUTED TO A SPECIFIC INDIVIDUAL WITHOUT THE USE OF
ADDITIONAL INFORMATION IF THE ADDITIONAL INFORMATION IS KEPT
SEPARATELY AND IS SUBJECT TO TECHNICAL AND ORGANIZATIONAL
MEASURES TO ENSURE THAT THE PERSONAL DATA ARE NOT ATTRIBUTED TO
A SPECIFIC INDIVIDUAL.
(23) (a) "SALE", "SELL", OR "SOLD" MEANS THE EXCHANGE OF
PERSONAL DATA FOR MONETARY OR OTHER VALUABLE CONSIDERATION BY
A CONTROLLER TO A THIRD PARTY.
(b) "SALE", "SELL", OR "SOLD" DOES NOT INCLUDE THE FOLLOWING:
(I) THE DISCLOSURE OF PERSONAL DATA TO A PROCESSOR THAT
PROCESSES THE PERSONAL DATA ON BEHALF OF A CONTROLLER;
(II) THE DISCLOSURE OF PERSONAL DATA TO A THIRD PARTY FOR
PURPOSES OF PROVIDING A PRODUCT OR SERVICE REQUESTED BY THE
CONSUMER;
(III) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO AN
AFFILIATE OF THE CONTROLLER;
(IV) THE DISCLOSURE OR TRANSFER TO A THIRD PARTY OF PERSONAL
DATA AS AN ASSET THAT IS PART OF A PROPOSED OR ACTUAL MERGER,
ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD
PARTY ASSUMES CONTROL OF ALL OR PART OF THE CONTROLLER'S ASSETS;
OR
PAGE 7-SENATE BILL 21-190
(V) THE DISCLOSURE OF PERSONAL DATA:
(A) THAT A CONSUMER DIRECTS THE CONTROLLER TO DISCLOSE OR
INTENTIONALLY DISCLOSES BY USING THE CONTROLLER TO INTERACT WITH
A THIRD PARTY; OR
(B) INTENTIONALLY MADE AVAILABLE BY A CONSUMER TO THE
GENERAL PUBLIC VIA A CHANNEL OF MASS MEDIA.
(24) "SENSITIVE DATA" MEANS:
(a) PERSONAL DATA REVEALING RACIAL OR ETHNIC ORIGIN,
RELIGIOUS BELIEFS, A MENTAL OR PHYSICAL HEALTH CONDITION OR
DIAGNOSIS, SEX LIFE OR SEXUAL ORIENTATION, OR CITIZENSHIP OR
CITIZENSHIP STATUS;
(b) GENETIC OR BIOMETRIC DATA THAT MAY BE PROCESSED FOR THE
PURPOSE OF UNIQUELY IDENTIFYING AN INDIVIDUAL; OR
(c) PERSONAL DATA FROM A KNOWN CHILD.
(25) "TARGETED ADVERTISING":
(a) MEANS DISPLAYING TO A CONSUMER AN ADVERTISEMENT THAT
IS SELECTED BASED ON PERSONAL DATA OBTAINED OR INFERRED OVER TIME
FROM THE CONSUMER'S ACTIVITIES ACROSS NONAFFILIATED WEBSITES,
APPLICATIONS, OR ONLINE SERVICES TO PREDICT CONSUMER PREFERENCES
OR INTERESTS; AND
(b) DOES NOT INCLUDE:
(I) ADVERTISING TO A CONSUMER IN RESPONSE TO THE CONSUMER'S
REQUEST FOR INFORMATION OR FEEDBACK;
(II) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A CONTROLLER'S
OWN WEBSITES OR ONLINE APPLICATIONS;
(III) ADVERTISEMENTS BASED ON THE CONTEXT OF A CONSUMER'S
CURRENT SEARCH QUERY, VISIT TO A WEBSITE, OR ONLINE APPLICATION; OR
PAGE 8-SENATE BILL 21-190
(IV) PROCESSING PERSONAL DATA SOLELY FOR MEASURING OR
REPORTING ADVERTISING PERFORMANCE, REACH, OR FREQUENCY.
(26) "THIRD PARTY" MEANS A PERSON, PUBLIC AUTHORITY, AGENCY,
OR BODY OTHER THAN A CONSUMER, CONTROLLER, PROCESSOR, OR
AFFILIATE OF THE PROCESSOR OR THE CONTROLLER.
6-1-1304. Applicability of part. (1) EXCEPT AS SPECIFIED IN
SUBSECTION (2) OF THIS SECTION, THIS PART 13 APPLIES TO A CONTROLLER
THAT:
(a) CONDUCTS BUSINESS IN COLORADO OR PRODUCES OR DELIVERS
COMMERCIAL PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED
TO RESIDENTS OF COLORADO; AND
(b) SATISFIES ONE OR BOTH OF THE FOLLOWING THRESHOLDS:
(I) CONTROLS OR PROCESSES THE PERSONAL DATA OF ONE HUNDRED
THOUSAND CONSUMERS OR MORE DURING A CALENDAR YEAR; OR
(II) DERIVES REVENUE OR RECEIVES A DISCOUNT ON THE PRICE OF
GOODS OR SERVICES FROM THE SALE OF PERSONAL DATA AND PROCESSES OR
CONTROLS THE PERSONAL DATA OF TWENTY-FIVE THOUSAND CONSUMERS OR
MORE.
(2) THIS PART 13 DOES NOT APPLY TO:
(a) PROTECTED HEALTH INFORMATION THAT IS COLLECTED, STORED,
AND PROCESSED BY A COVERED ENTITY OR ITS BUSINESS ASSOCIATES;
(b) HEALTH-CARE INFORMATION THAT IS GOVERNED BY PART 8 OF
ARTICLE 1 OF TITLE 25 SOLELY FOR THE PURPOSE OF ACCESS TO MEDICAL
RECORDS;
(c) PATIENT IDENTIFYING INFORMATION, AS DEFINED IN 42CFR2.11,
THAT ARE GOVERNED BY AND COLLECTED AND PROCESSED PURSUANT TO 42
CFR 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290dd-2;
(d) IDENTIFIABLE PRIVATE INFORMATION, AS DEFINED IN 45 CFR
46.102, FOR PURPOSES OF THE FEDERAL POLICY FOR THE PROTECTION OF
PAGE 9-SENATE BILL 21-190
HUMAN SUBJECTS PURSUANT TO 45 CFR 46; IDENTIFIABLE PRIVATE
INFORMATION THAT IS COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH
PURSUANT TO THE ICHE6GOOD CLINICAL PRACTICE GUIDELINE ISSUED BY
THE INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL
REQUIREMENTS FOR PHARMACEUTICALS FOR HUMAN USE OR THE
PROTECTION OF HUMAN SUBJECTS UNDER 21CFR50 AND 56; OR PERSONAL
DATA USED OR SHARED IN RESEARCH CONDUCTED IN ACCORDANCE WITH ONE
OR MORE OF THE CATEGORIES SET FORTH IN THIS SUBSECTION (2)(d);
(e) INFORMATION AND DOCUMENTS CREATED BY A COVERED ENTITY
FOR PURPOSES OF COMPLYING WITH HIPAA AND ITS IMPLEMENTING
REGULATIONS;
(f) PATIENT SAFETY WORK PRODUCT, AS DEFINED IN 42 CFR 3.20,
THAT IS CREATED FOR PURPOSES OF PATIENT SAFETY IMPROVEMENT
PURSUANT TO 42 CFR 3, ESTABLISHED PURSUANT TO 42 U.S.C. SECS.
299b-21 TO 299b-26;
(g) INFORMATION THAT IS:
(I) DE-IDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR
DE-IDENTIFICATION SET FORTH IN 45 CFR 164; AND
(II) DERIVED FROM ANY OF THE HEALTH-CARE-RELATED
INFORMATION DESCRIBED IN THIS SECTION.
(h) INFORMATION MAINTAINED IN THE SAME MANNER AS
INFORMATION UNDER SUBSECTIONS (2)(a) TO (2)(g) OF THIS SECTION BY:
(I) A COVERED ENTITY OR BUSINESS ASSOCIATE;
(II) A HEALTH-CARE FACILITY OR HEALTH-CARE PROVIDER; OR
(III) A PROGRAM OF A QUALIFIED SERVICE ORGANIZATION AS
DEFINED IN 42 CFR 2.11;
(i) (I) EXCEPT AS PROVIDED IN SUBSECTION (2)(i)(II) OF THIS
SECTION, AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE,
DISCLOSURE, SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA
BEARING ON A CONSUMER'S CREDITWORTHINESS, CREDIT STANDING, CREDIT
PAGE 10-SENATE BILL 21-190
CAPACITY, CHARACTER, GENERAL REPUTATION, PERSONAL
CHARACTERISTICS, OR MODE OF LIVING BY:
(A) A CONSUMER REPORTING AGENCY AS DEFINED IN 15 U.S.C. SEC.
1681a (f);
(B) A FURNISHER OF INFORMATION AS SET FORTH IN 15 U.S.C. SEC.
1681s-2 THAT PROVIDES INFORMATION FOR USE IN A CONSUMER REPORT, AS
DEFINED IN 15 U.S.C. SEC. 1681a (d); OR
(C) A USER OF A CONSUMER REPORT AS SET FORTH IN 15 U.S.C. SEC.
1681b.
(II) THIS SUBSECTION (2)(i) APPLIES ONLY TO THE EXTENT THAT THE
ACTIVITY IS REGULATED BY THE FEDERAL "FAIR CREDIT REPORTING ACT",
15 U.S.C. SEC. 1681 ET SEQ., AS AMENDED, AND THE PERSONAL DATA ARE
NOT COLLECTED, MAINTAINED, DISCLOSED, SOLD, COMMUNICATED, OR USED
EXCEPT AS AUTHORIZED BY THE FEDERAL "FAIR CREDIT REPORTING ACT",
AS AMENDED.
(j) PERSONAL DATA:
(I) COLLECTED AND MAINTAINED FOR PURPOSES OF ARTICLE 22 OF
TITLE 10;
(II) COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE
FEDERAL "GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ., AS
AMENDED, AND IMPLEMENTING REGULATIONS, IF THE COLLECTION,
PROCESSING, SALE, OR DISCLOSURE IS IN COMPLIANCE WITH THAT LAW;
(III) COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
THE FEDERAL "DRIVER'S PRIVACY PROTECTION ACT OF 1994", 18 U.S.C.
SEC. 2721 ET SEQ., AS AMENDED, IF THE COLLECTION, PROCESSING, SALE, OR
DISCLOSURE IS REGULATED BY THAT LAW, INCLUDING IMPLEMENTING RULES,
REGULATIONS, OR EXEMPTIONS;
(IV) REGULATED BY THE FEDERAL "CHILDREN'S ONLINE PRIVACY
PROTECTION ACT OF 1998", 15 U.S.C. SECS. 6501 TO 6506, AS AMENDED, IF
COLLECTED, PROCESSED, AND MAINTAINED IN COMPLIANCE WITH THAT LAW;
OR
PAGE 11-SENATE BILL 21-190
(V) REGULATED BY THE FEDERAL "FAMILY EDUCATIONAL RIGHTS
AND PRIVACY ACT OF 1974", 20 U.S.C. SEC. 1232g ET SEQ., AS AMENDED,
AND ITS IMPLEMENTING REGULATIONS;
(k) DATA MAINTAINED FOR EMPLOYMENT RECORDS PURPOSES;
(l) AN AIR CARRIER AS DEFINED IN AND REGULATED UNDER 49U.S.C.
SEC. 40101 ET SEQ., AS AMENDED, AND 49 U.S.C. SEC. 41713, AS AMENDED;
(m) A NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT
TO THE FEDERAL "SECURITIES EXCHANGE ACT OF 1934", 15 U.S.C. SEC.
78o-3, AS AMENDED, OR IMPLEMENTING REGULATIONS;
(n) CUSTOMER DATA MAINTAINED BY A PUBLIC UTILITY AS DEFINED
IN SECTION 40-1-103 (1)(a)(I) OR AN AUTHORITY AS DEFINED IN SECTION
43-4-503 (1), IF THE DATA ARE NOT COLLECTED, MAINTAINED, DISCLOSED,
SOLD, COMMUNICATED, OR USED EXCEPT AS AUTHORIZED BY STATE AND
FEDERAL LAW;
(o) DATA MAINTAINED BY A STATE INSTITUTION OF HIGHER
EDUCATION, AS DEFINED IN SECTION 23-18-102 (10), THE STATE, THE
JUDICIAL DEPARTMENT OF THE STATE, OR A COUNTY, CITY AND COUNTY, OR
MUNICIPALITY IF THE DATA IS COLLECTED, MAINTAINED, DISCLOSED,
COMMUNICATED, AND USED AS AUTHORIZED BY STATE AND FEDERAL LAW
FOR NONCOMMERCIAL PURPOSES.THIS SUBSECTION (2)(o) DOES NOT EFFECT
ANY OTHER EXEMPTION AVAILABLE UNDER THIS PART 13.
(p) INFORMATION USED AND DISCLOSED IN COMPLIANCE WITH 45
CFR 164.512; OR
(q) A FINANCIAL INSTITUTION OR AN AFFILIATE OF A FINANCIAL
INSTITUTION AS DEFINED BY AND THAT IS SUBJECT TO THE FEDERAL
"GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ., AS AMENDED,
AND IMPLEMENTING REGULATIONS, INCLUDING REGULATION P, 12 CFR
1016.
(3) THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS
UNDER THIS PART 13 DO NOT:
(a) RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO:
PAGE 12-SENATE BILL 21-190
(I) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR
REGULATIONS;
(II) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY,
INVESTIGATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR
OTHER GOVERNMENTAL AUTHORITIES;
(III) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY
AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL
LAW;
(IV) INVESTIGATE, EXERCISE, PREPARE FOR, OR DEFEND ACTUAL OR
ANTICIPATED LEGAL CLAIMS;
(V) CONDUCT INTERNAL RESEARCH TO IMPROVE, REPAIR, OR
DEVELOP PRODUCTS, SERVICES, OR TECHNOLOGY;
(VI) IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR
EXISTING OR INTENDED FUNCTIONALITY;
(VII) PERFORM INTERNAL OPERATIONS THAT ARE REASONABLY
ALIGNED WITH THE EXPECTATIONS OF THE CONSUMER BASED ON THE
CONSUMER'S EXISTING RELATIONSHIP WITH THE CONTROLLER;
(VIII) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED
BY A CONSUMER OR THE PARENT OR GUARDIAN OF A CHILD, PERFORM A
CONTRACT TO WHICH THE CONSUMER IS A PARTY, OR TAKE STEPS AT THE
REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT;
(IX) PROTECT THE VITAL INTERESTS OF THE CONSUMER OR OF
ANOTHER INDIVIDUAL;
(X) PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO SECURITY
INCIDENTS, IDENTITY THEFT, FRAUD, HARASSMENT, OR MALICIOUS,
DECEPTIVE, OR ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY
OF SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE
FOR ANY SUCH ACTION;
(XI) PROCESS PERSONAL DATA FOR REASONS OF PUBLIC INTEREST IN
PAGE 13-SENATE BILL 21-190
THE AREA OF PUBLIC HEALTH, BUT SOLELY TO THE EXTENT THAT THE
PROCESSING:
(A) IS SUBJECT TO SUITABLE AND SPECIFIC MEASURES TO SAFEGUARD
THE RIGHTS OF THE CONSUMER WHOSE PERSONAL DATA ARE PROCESSED;
AND
(B) IS UNDER THE RESPONSIBILITY OF A PROFESSIONAL SUBJECT TO
CONFIDENTIALITY OBLIGATIONS UNDER FEDERAL, STATE, OR LOCAL LAW; OR
(XII) ASSIST ANOTHER PERSON WITH ANY OF THE ACTIVITIES SET
FORTH IN THIS SUBSECTION (3);
(b) APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR
WITH THIS PART 13 WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER
COLORADO LAW;
(c) PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING
PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN
EVIDENTIARY PRIVILEGE UNDER COLORADO LAW AS PART OF A PRIVILEGED
COMMUNICATION;
(d) APPLY TO INFORMATION MADE AVAILABLE BY A THIRD PARTY
THAT THE CONTROLLER HAS A REASONABLE BASIS TO BELIEVE IS PROTECTED
SPEECH PURSUANT TO APPLICABLE LAW; AND
(e) APPLY TO THE PROCESSING OF PERSONAL DATA BY AN
INDIVIDUAL IN THE COURSE OF A PURELY PERSONAL OR HOUSEHOLD
ACTIVITY.
(4) PERSONAL DATA THAT ARE PROCESSED BY A CONTROLLER
PURSUANT TO AN EXCEPTION PROVIDED BY THIS SECTION:
(a) SHALL NOT BE PROCESSED FOR ANY PURPOSE OTHER THAN A
PURPOSE EXPRESSLY LISTED IN THIS SECTION OR AS OTHERWISE AUTHORIZED
BY THIS PART 13; AND
(b) SHALL BE PROCESSED SOLELY TO THE EXTENT THAT THE
PROCESSING IS NECESSARY, REASONABLE, AND PROPORTIONATE TO THE
SPECIFIC PURPOSE OR PURPOSES LISTED IN THIS SECTION OR AS OTHERWISE
PAGE 14-SENATE BILL 21-190
AUTHORIZED BY THIS PART 13.
(5) IF A CONTROLLER PROCESSES PERSONAL DATA PURSUANT TO AN
EXEMPTION IN THIS SECTION, THE CONTROLLER BEARS THE BURDEN OF
DEMONSTRATING THAT THE PROCESSING QUALIFIES FOR THE EXEMPTION AND
COMPLIES WITH THE REQUIREMENTS IN SUBSECTION (4) OF THIS SECTION.
6-1-1305. Responsibility according to role. (1) CONTROLLERS
AND PROCESSORS SHALL MEET THEIR RESPECTIVE OBLIGATIONS
ESTABLISHED UNDER THIS PART 13.
(2) PROCESSORS SHALL ADHERE TO THE INSTRUCTIONS OF THE
CONTROLLER AND ASSIST THE CONTROLLER TO MEET ITS OBLIGATIONS
UNDER THIS PART 13. TAKING INTO ACCOUNT THE NATURE OF PROCESSING
AND THE INFORMATION AVAILABLE TO THE PROCESSOR, THE PROCESSOR
SHALL ASSIST THE CONTROLLER BY:
(a) TAKING APPROPRIATE TECHNICAL AND ORGANIZATIONAL
MEASURES, INSOFAR AS THIS IS POSSIBLE, FOR THE FULFILLMENT OF THE
CONTROLLER'S OBLIGATION TO RESPOND TO CONSUMER REQUESTS TO
EXERCISE THEIR RIGHTS PURSUANT TO SECTION 6-1-1306;
(b) HELPING TO MEET THE CONTROLLER'S OBLIGATIONS IN RELATION
TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO
THE NOTIFICATION OF A BREACH OF THE SECURITY OF THE SYSTEM PURSUANT
TO SECTION 6-1-716; AND
(c) PROVIDING INFORMATION TO THE CONTROLLER NECESSARY TO
ENABLE THE CONTROLLER TO CONDUCT AND DOCUMENT ANY DATA
PROTECTION ASSESSMENTS REQUIRED BY SECTION 6-1-1309. THE
CONTROLLER AND PROCESSOR ARE EACH RESPONSIBLE FOR ONLY THE
MEASURES ALLOCATED TO THEM.
(3) NOTWITHSTANDING THE INSTRUCTIONS OF THE CONTROLLER, A
PROCESSOR SHALL:
(a) ENSURE THAT EACH PERSON PROCESSING THE PERSONAL DATA IS
SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA; AND
(b) ENGAGE A SUBCONTRACTOR ONLY AFTER PROVIDING THE
PAGE 15-SENATE BILL 21-190
CONTROLLER WITH AN OPPORTUNITY TO OBJECT AND PURSUANT TO A
WRITTEN CONTRACT IN ACCORDANCE WITH SUBSECTION (5) OF THIS SECTION
THAT REQUIRES THE SUBCONTRACTOR TO MEET THE OBLIGATIONS OF THE
PROCESSOR WITH RESPECT TO THE PERSONAL DATA.
(4) TAKING INTO ACCOUNT THE CONTEXT OF PROCESSING, THE
CONTROLLER AND THE PROCESSOR SHALL IMPLEMENT APPROPRIATE
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE A LEVEL OF
SECURITY APPROPRIATE TO THE RISK AND ESTABLISH A CLEAR ALLOCATION
OF THE RESPONSIBILITIES BETWEEN THEM TO IMPLEMENT THE MEASURES.
(5) PROCESSING BY A PROCESSOR MUST BE GOVERNED BY A
CONTRACT BETWEEN THE CONTROLLER AND THE PROCESSOR THAT IS
BINDING ON BOTH PARTIES AND THAT SETS OUT:
(a) THE PROCESSING INSTRUCTIONS TO WHICH THE PROCESSOR IS
BOUND, INCLUDING THE NATURE AND PURPOSE OF THE PROCESSING;
(b) THE TYPE OF PERSONAL DATA SUBJECT TO THE PROCESSING, AND
THE DURATION OF THE PROCESSING;
(c) THE REQUIREMENTS IMPOSED BY THIS SUBSECTION (5) AND
SUBSECTIONS (3) AND (4) OF THIS SECTION; AND
(d) THE FOLLOWING REQUIREMENTS:
(I) AT THE CHOICE OF THE CONTROLLER, THE PROCESSOR SHALL
DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS
REQUESTED AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION
OF THE PERSONAL DATA IS REQUIRED BY LAW;
(II) (A) THE PROCESSOR SHALL MAKE AVAILABLE TO THE
CONTROLLER ALL INFORMATION NECESSARY TO DEMONSTRATE COMPLIANCE
WITH THE OBLIGATIONS IN THIS PART 13; AND
(B) THE PROCESSOR SHALL ALLOW FOR, AND CONTRIBUTE TO,
REASONABLE AUDITS AND INSPECTIONS BY THE CONTROLLER OR THE
CONTROLLER'S DESIGNATED AUDITOR. ALTERNATIVELY, THE PROCESSOR
MAY, WITH THE CONTROLLER'S CONSENT, ARRANGE FOR A QUALIFIED AND
INDEPENDENT AUDITOR TO CONDUCT, AT LEAST ANNUALLY AND AT THE
PAGE 16-SENATE BILL 21-190
PROCESSOR'S EXPENSE, AN AUDIT OF THE PROCESSOR'S POLICIES AND
TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE
OBLIGATIONS UNDER THIS PART 13 USING AN APPROPRIATE AND ACCEPTED
CONTROL STANDARD OR FRAMEWORK AND AUDIT PROCEDURE FOR THE
AUDITS AS APPLICABLE. THE PROCESSOR SHALL PROVIDE A REPORT OF THE
AUDIT TO THE CONTROLLER UPON REQUEST.
(6) IN NO EVENT MAY A CONTRACT RELIEVE A CONTROLLER OR A
PROCESSOR FROM THE LIABILITIES IMPOSED ON THEM BY VIRTUE OF ITS ROLE
IN THE PROCESSING RELATIONSHIP AS DEFINED BY THIS PART 13.
(7) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER
OR PROCESSOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A
FACT-BASED DETERMINATION THAT DEPENDS UPON THE CONTEXT IN WHICH
PERSONAL DATA ARE TO BE PROCESSED. A PERSON THAT IS NOT LIMITED IN
ITS PROCESSING OF PERSONAL DATA PURSUANT TO A CONTROLLER'S
INSTRUCTIONS, OR THAT FAILS TO ADHERE TO THE INSTRUCTIONS, IS A
CONTROLLER AND NOT A PROCESSOR WITH RESPECT TO A SPECIFIC
PROCESSING OF DATA. A PROCESSOR THAT CONTINUES TO ADHERE TO A
CONTROLLER'S INSTRUCTIONS WITH RESPECT TO A SPECIFIC PROCESSING OF
PERSONAL DATA REMAINS A PROCESSOR.IF A PROCESSOR BEGINS, ALONE OR
JOINTLY WITH OTHERS, DETERMINING THE PURPOSES AND MEANS OF THE
PROCESSING OF PERSONAL DATA, IT IS A CONTROLLER WITH RESPECT TO THE
PROCESSING.
(8) (a) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL
DATA TO ANOTHER CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS
PART 13 DOES NOT VIOLATE THIS PART 13 IF THE RECIPIENT PROCESSES THE
PERSONAL DATA IN VIOLATION OF THIS PART 13, AND, AT THE TIME OF
DISCLOSING THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR
PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE RECIPIENT
INTENDED TO COMMIT A VIOLATION.
(b) A CONTROLLER OR PROCESSOR RECEIVING PERSONAL DATA FROM
A CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS PART 13 AS
SPECIFIED IN SUBSECTION (8)(a) OF THIS SECTION DOES NOT VIOLATE THIS
PART 13 IF THE CONTROLLER OR PROCESSOR FROM WHICH IT RECEIVES THE
PERSONAL DATA FAILS TO COMPLY WITH APPLICABLE OBLIGATIONS UNDER
THIS PART 13.
PAGE 17-SENATE BILL 21-190
6-1-1306. Consumer personal data rights - repeal.
(1) CONSUMERS MAY EXERCISE THE FOLLOWING RIGHTS BY SUBMITTING A
REQUEST USING THE METHODS SPECIFIED BY THE CONTROLLER IN THE
PRIVACY NOTICE REQUIRED UNDER SECTION 6-1-1308 (1)(a). THE METHOD
MUST TAKE INTO ACCOUNT THE WAYS IN WHICH CONSUMERS NORMALLY
INTERACT WITH THE CONTROLLER, THE NEED FOR SECURE AND RELIABLE
COMMUNICATION RELATING TO THE REQUEST, AND THE ABILITY OF THE
CONTROLLER TO AUTHENTICATE THE IDENTITY OF THE CONSUMER MAKING
THE REQUEST.CONTROLLERS SHALL NOT REQUIRE A CONSUMER TO CREATE
A NEW ACCOUNT IN ORDER TO EXERCISE CONSUMER RIGHTS PURSUANT TO
THIS SECTION BUT MAY REQUIRE A CONSUMER TO USE AN EXISTING
ACCOUNT. A CONSUMER MAY SUBMIT A REQUEST AT ANY TIME TO A
CONTROLLER SPECIFYING WHICH OF THE FOLLOWING RIGHTS THE CONSUMER
WISHES TO EXERCISE:
(a) Right to opt out. (I) A CONSUMER HAS THE RIGHT TO OPT OUT
OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER FOR
PURPOSES OF:
(A) TARGETED ADVERTISING;
(B) THE SALE OF PERSONAL DATA; OR
(C) PROFILING IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL
OR SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER.
(II) A CONSUMER MAY AUTHORIZE ANOTHER PERSON, ACTING ON THE
CONSUMER'S BEHALF, TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S
PERSONAL DATA FOR ONE OR MORE OF THE PURPOSES SPECIFIED IN
SUBSECTION (1)(a)(I) OF THIS SECTION, INCLUDING THROUGH A TECHNOLOGY
INDICATING THE CONSUMER'S INTENT TO OPT OUT SUCH AS A WEB LINK
INDICATING A PREFERENCE OR BROWSER SETTING, BROWSER EXTENSION, OR
GLOBAL DEVICE SETTING.A CONTROLLER SHALL COMPLY WITH AN OPT-OUT
REQUEST RECEIVED FROM A PERSON AUTHORIZED BY THE CONSUMER TO ACT
ON THE CONSUMER'S BEHALF IF THE CONTROLLER IS ABLE TO AUTHENTICATE,
WITH COMMERCIALLY REASONABLE EFFORT, THE IDENTITY OF THE
CONSUMER AND THE AUTHORIZED AGENT'S AUTHORITY TO ACT ON THE
CONSUMER'S BEHALF.
(III) A CONTROLLER THAT PROCESSES PERSONAL DATA FOR
PAGE 18-SENATE BILL 21-190
PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA
SHALL PROVIDE A CLEAR AND CONSPICUOUS METHOD TO EXERCISE THE
RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE
CONSUMER PURSUANT TO SUBSECTION (1)(a)(I) OF THIS SECTION. THE
CONTROLLER SHALL PROVIDE THE OPT-OUT METHOD CLEARLY AND
CONSPICUOUSLY IN ANY PRIVACY NOTICE REQUIRED TO BE PROVIDED TO
CONSUMERS UNDER THIS PART 13, AND IN A CLEAR, CONSPICUOUS, AND
READILY ACCESSIBLE LOCATION OUTSIDE THE PRIVACY NOTICE.
(IV) (A) A CONTROLLER THAT PROCESSES PERSONAL DATA FOR
PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA MAY
ALLOW CONSUMERS TO EXERCISE THE RIGHT TO OPT OUT OF THE PROCESSING
OF PERSONAL DATA CONCERNING THE CONSUMER FOR PURPOSES OF
TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO
SUBSECTIONS (1)(a)(I)(A) AND (1)(a)(I)(B) OF THIS SECTION BY
CONTROLLERS THROUGH A USER-SELECTED UNIVERSAL OPT-OUT MECHANISM
THAT MEETS THE TECHNICAL SPECIFICATIONS ESTABLISHED BY THE
ATTORNEY GENERAL PURSUANT TO SECTION 6-1-1313. THIS SUBSECTION
(1)(a)(IV)(A) IS REPEALED, EFFECTIVE JULY 1, 2024.
(B) EFFECTIVE JULY 1, 2024, A CONTROLLER THAT PROCESSES
PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF
PERSONAL DATA SHALL ALLOW CONSUMERS TO EXERCISE THE RIGHT TO OPT
OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER
FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA
PURSUANT TO SUBSECTIONS (1)(a)(I)(A) AND (1)(a)(I)(B) OF THIS SECTION
BY CONTROLLERS THROUGH A USER-SELECTED UNIVERSAL OPT-OUT
MECHANISM THAT MEETS THE TECHNICAL SPECIFICATIONS ESTABLISHED BY
THE ATTORNEY GENERAL PURSUANT TO SECTION 6-1-1313.
(C) NOTWITHSTANDING A CONSUMER'S DECISION TO EXERCISE THE
RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA THROUGH A
UNIVERSAL OPT-OUT MECHANISM PURSUANT TO SUBSECTION (1)(a)(IV)(B)
OF THIS SECTION, A CONTROLLER MAY ENABLE THE CONSUMER TO CONSENT,
THROUGH A WEB PAGE, APPLICATION, OR A SIMILAR METHOD, TO THE
PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR PURPOSES OF
TARGETED ADVERTISING OR THE SALE OF PERSONAL DATA, AND THE
CONSENT TAKES PRECEDENCE OVER ANY CHOICE REFLECTED THROUGH THE
UNIVERSAL OPT-OUT MECHANISM. BEFORE OBTAINING A CONSUMER'S
CONSENT TO PROCESS PERSONAL DATA FOR PURPOSES OF TARGETED
PAGE 19-SENATE BILL 21-190
ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO THIS
SUBSECTION (1)(a)(IV)(C), A CONTROLLER SHALL PROVIDE THE CONSUMER
WITH A CLEAR AND CONSPICUOUS NOTICE INFORMING THE CONSUMER ABOUT
THE CHOICES AVAILABLE UNDER THIS SECTION, DESCRIBING THE CATEGORIES
OF PERSONAL DATA TO BE PROCESSED AND THE PURPOSES FOR WHICH THEY
WILL BE PROCESSED, AND EXPLAINING HOW AND WHERE THE CONSUMER MAY
WITHDRAW CONSENT. THE WEB PAGE, APPLICATION, OR OTHER MEANS BY
WHICH A CONTROLLER OBTAINS A CONSUMER'S CONSENT TO PROCESS
PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING OR THE SALE OF
PERSONAL DATA MUST ALSO ALLOW THE CONSUMER TO REVOKE THE
CONSENT AS EASILY AS IT IS AFFIRMATIVELY PROVIDED.
(b) Right of access. A CONSUMER HAS THE RIGHT TO CONFIRM
WHETHER A CONTROLLER IS PROCESSING PERSONAL DATA CONCERNING THE
CONSUMER AND TO ACCESS THE CONSUMER'S PERSONAL DATA.
(c) Right to correction. A CONSUMER HAS THE RIGHT TO CORRECT
INACCURACIES IN THE CONSUMER'S PERSONAL DATA, TAKING INTO ACCOUNT
THE NATURE OF THE PERSONAL DATA AND THE PURPOSES OF THE PROCESSING
OF THE CONSUMER'S PERSONAL DATA.
(d) Right to deletion. A CONSUMER HAS THE RIGHT TO DELETE
PERSONAL DATA CONCERNING THE CONSUMER.
(e) Right to data portability. WHEN EXERCISING THE RIGHT TO
ACCESS PERSONAL DATA PURSUANT TO SUBSECTION (1)(b) OF THIS SECTION,
A CONSUMER HAS THE RIGHT TO OBTAIN THE PERSONAL DATA IN A PORTABLE
AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY USABLE FORMAT
THAT ALLOWS THE CONSUMER TO TRANSMIT THE DATA TO ANOTHER ENTITY
WITHOUT HINDRANCE. A CONSUMER MAY EXERCISE THIS RIGHT NO MORE
THAN TWO TIMES PER CALENDAR YEAR.NOTHING IN THIS SUBSECTION (1)(e)
REQUIRES A CONTROLLER TO PROVIDE THE DATA TO THE CONSUMER IN A
MANNER THAT WOULD DISCLOSE THE CONTROLLER'S TRADE SECRETS.
(2) Responding to consumer requests. (a) A CONTROLLER SHALL
INFORM A CONSUMER OF ANY ACTION TAKEN ON A REQUEST UNDER
SUBSECTION (1) OF THIS SECTION WITHOUT UNDUE DELAY AND, IN ANY
EVENT, WITHIN FORTY-FIVE DAYS AFTER RECEIPT OF THE REQUEST. THE
CONTROLLER MAY EXTEND THE FORTY-FIVE-DAY PERIOD BY FORTY-FIVE
ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT
PAGE 20-SENATE BILL 21-190
THE COMPLEXITY AND NUMBER OF THE REQUESTS.THE CONTROLLER SHALL
INFORM THE CONSUMER OF AN EXTENSION WITHIN FORTY-FIVE DAYS AFTER
RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY.
(b) IF A CONTROLLER DOES NOT TAKE ACTION ON THE REQUEST OF A
CONSUMER, THE CONTROLLER SHALL INFORM THE CONSUMER, WITHOUT
UNDUE DELAY AND, AT THE LATEST, WITHIN FORTY-FIVE DAYS AFTER
RECEIPT OF THE REQUEST, OF THE REASONS FOR NOT TAKING ACTION AND
INSTRUCTIONS FOR HOW TO APPEAL THE DECISION WITH THE CONTROLLER AS
DESCRIBED IN SUBSECTION (3) OF THIS SECTION.
(c) UPON REQUEST, A CONTROLLER SHALL PROVIDE TO THE
CONSUMER THE INFORMATION SPECIFIED IN THIS SECTION FREE OF CHARGE;
EXCEPT THAT, FOR A SECOND OR SUBSEQUENT REQUEST WITHIN A
TWELVE-MONTH PERIOD, THE CONTROLLER MAY CHARGE AN AMOUNT
CALCULATED IN THE MANNER SPECIFIED IN SECTION 24-72-205 (5)(a).
(d) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A REQUEST TO
EXERCISE ANY OF THE RIGHTS UNDER SUBSECTION (1) OF THIS SECTION IF
THE CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST USING
COMMERCIALLY REASONABLE EFFORTS, IN WHICH CASE THE CONTROLLER
MAY REQUEST THE PROVISION OF ADDITIONAL INFORMATION REASONABLY
NECESSARY TO AUTHENTICATE THE REQUEST.
(3) (a) A CONTROLLER SHALL ESTABLISH AN INTERNAL PROCESS
WHEREBY CONSUMERS MAY APPEAL A REFUSAL TO TAKE ACTION ON A
REQUEST TO EXERCISE ANY OF THE RIGHTS UNDER SUBSECTION (1) OF THIS
SECTION WITHIN A REASONABLE PERIOD AFTER THE CONSUMER'S RECEIPT OF
THE NOTICE SENT BY THE CONTROLLER UNDER SUBSECTION (2)(b) OF THIS
SECTION. THE APPEAL PROCESS MUST BE CONSPICUOUSLY AVAILABLE AND
AS EASY TO USE AS THE PROCESS FOR SUBMITTING A REQUEST UNDER THIS
SECTION.
(b) WITHIN FORTY-FIVE DAYS AFTER RECEIPT OF AN APPEAL, A
CONTROLLER SHALL INFORM THE CONSUMER OF ANY ACTION TAKEN OR NOT
TAKEN IN RESPONSE TO THE APPEAL, ALONG WITH A WRITTEN EXPLANATION
OF THE REASONS IN SUPPORT OF THE RESPONSE. THE CONTROLLER MAY
EXTEND THE FORTY-FIVE-DAY PERIOD BY SIXTY ADDITIONAL DAYS WHERE
REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND
NUMBER OF REQUESTS SERVING AS THE BASIS FOR THE APPEAL. THE
PAGE 21-SENATE BILL 21-190
CONTROLLER SHALL INFORM THE CONSUMER OF AN EXTENSION WITHIN
FORTY-FIVE DAYS AFTER RECEIPT OF THE APPEAL, TOGETHER WITH THE
REASONS FOR THE DELAY.
(c) THE CONTROLLER SHALL INFORM THE CONSUMER OF THE
CONSUMER'S ABILITY TO CONTACT THE ATTORNEY GENERAL IF THE
CONSUMER HAS CONCERNS ABOUT THE RESULT OF THE APPEAL.
6-1-1307. Processing de-identified data. (1) THIS PART 13 DOES
NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO ANY OF THE FOLLOWING
SOLELY FOR PURPOSES OF COMPLYING WITH THIS PART 13:
(a) REIDENTIFY DE-IDENTIFIED DATA;
(b) COMPLY WITH AN AUTHENTICATED CONSUMER REQUEST TO
ACCESS, CORRECT, DELETE, OR PROVIDE PERSONAL DATA IN A PORTABLE
FORMAT PURSUANT TO SECTION 6-1-1306 (1), IF ALL OF THE FOLLOWING ARE
TRUE:
(I) (A) THE CONTROLLER IS NOT REASONABLY CAPABLE OF
ASSOCIATING THE REQUEST WITH THE PERSONAL DATA; OR
(B) IT WOULD BE UNREASONABLY BURDENSOME FOR THE
CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA;
(II) THE CONTROLLER DOES NOT USE THE PERSONAL DATA TO
RECOGNIZE OR RESPOND TO THE SPECIFIC CONSUMER WHO IS THE SUBJECT OF
THE PERSONAL DATA OR ASSOCIATE THE PERSONAL DATA WITH OTHER
PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER; AND
(III) THE CONTROLLER DOES NOT SELL THE PERSONAL DATA TO ANY
THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE THE PERSONAL DATA
TO ANY THIRD PARTY, EXCEPT AS OTHERWISE AUTHORIZED BY THE
CONSUMER; OR
(c) MAINTAIN DATA IN IDENTIFIABLE FORM OR COLLECT, OBTAIN,
RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO ENABLE THE
CONTROLLER TO ASSOCIATE AN AUTHENTICATED CONSUMER REQUEST WITH
PERSONAL DATA.
PAGE 22-SENATE BILL 21-190
(2) A CONTROLLER THAT USES DE-IDENTIFIED DATA SHALL EXERCISE
REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY
CONTRACTUAL COMMITMENTS TO WHICH THE DE-IDENTIFIED DATA ARE
SUBJECT AND SHALL TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES
OF CONTRACTUAL COMMITMENTS.
(3) THE RIGHTS CONTAINED IN SECTION 6-1-1306 (1)(b) TO (1)(e) DO
NOT APPLY TO PSEUDONYMOUS DATA IF THE CONTROLLER CAN
DEMONSTRATE THAT THE INFORMATION NECESSARY TO IDENTIFY THE
CONSUMER IS KEPT SEPARATELY AND IS SUBJECT TO EFFECTIVE TECHNICAL
AND ORGANIZATIONAL CONTROLS THAT PREVENT THE CONTROLLER FROM
ACCESSING THE INFORMATION.
6-1-1308. Duties of controllers. (1) Duty of transparency. (a) A
CONTROLLER SHALL PROVIDE CONSUMERS WITH A REASONABLY ACCESSIBLE,
CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES:
(I) THE CATEGORIES OF PERSONAL DATA COLLECTED OR PROCESSED
BY THE CONTROLLER OR A PROCESSOR;
(II) THE PURPOSES FOR WHICH THE CATEGORIES OF PERSONAL DATA
ARE PROCESSED;
(III) HOW AND WHERE CONSUMERS MAY EXERCISE THE RIGHTS
PURSUANT TO SECTION 6-1-1306, INCLUDING THE CONTROLLER'S CONTACT
INFORMATION AND HOW A CONSUMER MAY APPEAL A CONTROLLER'S ACTION
WITH REGARD TO THE CONSUMER'S REQUEST;
(IV) THE CATEGORIES OF PERSONAL DATA THAT THE CONTROLLER
SHARES WITH THIRD PARTIES, IF ANY; AND
(V) THE CATEGORIES OF THIRD PARTIES, IF ANY, WITH WHOM THE
CONTROLLER SHARES PERSONAL DATA.
(b) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR
PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING, THE CONTROLLER
SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING,
AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT
TO OPT OUT OF THE SALE OR PROCESSING.
PAGE 23-SENATE BILL 21-190
(c) A CONTROLLER SHALL NOT:
(I) REQUIRE A CONSUMER TO CREATE A NEW ACCOUNT IN ORDER TO
EXERCISE A RIGHT; OR
(II) BASED SOLELY ON THE EXERCISE OF A RIGHT AND UNRELATED TO
FEASIBILITY OR THE VALUE OF A SERVICE, INCREASE THE COST OF, OR
DECREASE THE AVAILABILITY OF, THE PRODUCT OR SERVICE.
(d) NOTHING IN THIS PART 13 SHALL BE CONSTRUED TO REQUIRE A
CONTROLLER TO PROVIDE A PRODUCT OR SERVICE THAT REQUIRES THE
PERSONAL DATA OF A CONSUMER THAT THE CONTROLLER DOES NOT COLLECT
OR MAINTAIN OR TO PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT
PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A
CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE
OFFER IS RELATED TO A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA
FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNT, OR CLUB CARD
PROGRAM.
(2) Duty of purpose specification. A CONTROLLER SHALL SPECIFY
THE EXPRESS PURPOSES FOR WHICH PERSONAL DATA ARE COLLECTED AND
PROCESSED.
(3) Duty of data minimization. A CONTROLLER'S COLLECTION OF
PERSONAL DATA MUST BE ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS
REASONABLY NECESSARY IN RELATION TO THE SPECIFIED PURPOSES FOR
WHICH THE DATA ARE PROCESSED.
(4) Duty to avoid secondary use. A CONTROLLER SHALL NOT
PROCESS PERSONAL DATA FOR PURPOSES THAT ARE NOT REASONABLY
NECESSARY TO OR COMPATIBLE WITH THE SPECIFIED PURPOSES FOR WHICH
THE PERSONAL DATA ARE PROCESSED, UNLESS THE CONTROLLER FIRST
OBTAINS THE CONSUMER'S CONSENT.
(5) Duty of care. A CONTROLLER SHALL TAKE REASONABLE
MEASURES TO SECURE PERSONAL DATA DURING BOTH STORAGE AND USE
FROM UNAUTHORIZED ACQUISITION. THE DATA SECURITY PRACTICES MUST
BE APPROPRIATE TO THE VOLUME, SCOPE, AND NATURE OF THE PERSONAL
DATA PROCESSED AND THE NATURE OF THE BUSINESS.
PAGE 24-SENATE BILL 21-190
(6) Duty to avoid unlawful discrimination. A CONTROLLER SHALL
NOT PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL LAWS
THAT PROHIBIT UNLAWFUL DISCRIMINATION AGAINST CONSUMERS.
(7) Duty regarding sensitive data. A CONTROLLER SHALL NOT
PROCESS A CONSUMER'S SENSITIVE DATA WITHOUT FIRST OBTAINING THE
CONSUMER'S CONSENT OR, IN THE CASE OF THE PROCESSING OF PERSONAL
DATA CONCERNING A KNOWN CHILD, WITHOUT FIRST OBTAINING CONSENT
FROM THE CHILD'S PARENT OR LAWFUL GUARDIAN.
6-1-1309. Data protection assessments - attorney general access
and evaluation - definition. (1) A CONTROLLER SHALL NOT CONDUCT
PROCESSING THAT PRESENTS A HEIGHTENED RISK OF HARM TO A CONSUMER
WITHOUT CONDUCTING AND DOCUMENTING A DATA PROTECTION
ASSESSMENT OF EACH OF ITS PROCESSING ACTIVITIES THAT INVOLVE
PERSONAL DATA ACQUIRED ON OR AFTER THE EFFECTIVE DATE OF THIS
SECTION THAT PRESENT A HEIGHTENED RISK OF HARM TO A CONSUMER.
(2) FOR PURPOSES OF THIS SECTION, "PROCESSING THAT PRESENTS A
HEIGHTENED RISK OF HARM TO A CONSUMER" INCLUDES THE FOLLOWING:
(a) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED
ADVERTISING OR FOR PROFILING IF THE PROFILING PRESENTS A REASONABLY
FORESEEABLE RISK OF:
(I) UNFAIR OR DECEPTIVE TREATMENT OF, OR UNLAWFUL DISPARATE
IMPACT ON, CONSUMERS;
(II) FINANCIAL OR PHYSICAL INJURY TO CONSUMERS;
(III) A PHYSICAL OR OTHER INTRUSION UPON THE SOLITUDE OR
SECLUSION, OR THE PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS IF THE
INTRUSION WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR
(IV) OTHER SUBSTANTIAL INJURY TO CONSUMERS;
(b) SELLING PERSONAL DATA; AND
(c) PROCESSING SENSITIVE DATA.
PAGE 25-SENATE BILL 21-190
(3) DATA PROTECTION ASSESSMENTS MUST IDENTIFY AND WEIGH THE
BENEFITS THAT MAY FLOW, DIRECTLY AND INDIRECTLY, FROM THE
PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER STAKEHOLDERS,
AND THE PUBLIC AGAINST THE POTENTIAL RISKS TO THE RIGHTS OF THE
CONSUMER ASSOCIATED WITH THE PROCESSING, AS MITIGATED BY
SAFEGUARDS THAT THE CONTROLLER CAN EMPLOY TO REDUCE THE RISKS.
THE CONTROLLER SHALL FACTOR INTO THIS ASSESSMENT THE USE OF
DE-IDENTIFIED DATA AND THE REASONABLE EXPECTATIONS OF CONSUMERS,
AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATIONSHIP
BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA
WILL BE PROCESSED.
(4) A CONTROLLER SHALL MAKE THE DATA PROTECTION ASSESSMENT
AVAILABLE TO THE ATTORNEY GENERAL UPON REQUEST. THE ATTORNEY
GENERAL MAY EVALUATE THE DATA PROTECTION ASSESSMENT FOR
COMPLIANCE WITH THE DUTIES CONTAINED IN SECTION 6-1-1308 AND WITH
OTHER LAWS, INCLUDING THIS ARTICLE 1. DATA PROTECTION ASSESSMENTS
ARE CONFIDENTIAL AND EXEMPT FROM PUBLIC INSPECTION AND COPYING
UNDER THE "COLORADO OPEN RECORDS ACT", PART 2 OF ARTICLE 72 OF
TITLE 24.THE DISCLOSURE OF A DATA PROTECTION ASSESSMENT PURSUANT
TO A REQUEST FROM THE ATTORNEY GENERAL UNDER THIS SUBSECTION (4)
DOES NOT CONSTITUTE A WAIVER OF ANY ATTORNEY-CLIENT PRIVILEGE OR
WORK-PRODUCT PROTECTION THAT MIGHT OTHERWISE EXIST WITH RESPECT
TO THE ASSESSMENT AND ANY INFORMATION CONTAINED IN THE
ASSESSMENT.
(5) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A
COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR
ACTIVITIES.
(6) DATA PROTECTION ASSESSMENT REQUIREMENTS APPLY TO
PROCESSING ACTIVITIES CREATED OR GENERATED AFTER JULY 1, 2023, AND
ARE NOT RETROACTIVE.
6-1-1310. Liability. (1) NOTWITHSTANDING ANY PROVISION IN PART
1 OF THIS ARTICLE 1, THIS PART 13 DOES NOT AUTHORIZE A PRIVATE RIGHT
OF ACTION FOR A VIOLATION OF THIS PART 13 OR ANY OTHER PROVISION OF
LAW.THIS SUBSECTION (1) NEITHER RELIEVES ANY PARTY FROM ANY DUTIES
OR OBLIGATIONS IMPOSED, NOR ALTERS ANY INDEPENDENT RIGHTS THAT
CONSUMERS HAVE, UNDER OTHER LAWS, INCLUDING THIS ARTICLE 1, THE
PAGE 26-SENATE BILL 21-190
STATE CONSTITUTION, OR THE UNITED STATES CONSTITUTION.
(2) WHERE MORE THAN ONE CONTROLLER OR PROCESSOR, OR BOTH
A CONTROLLER AND A PROCESSOR, INVOLVED IN THE SAME PROCESSING
VIOLATES THIS PART 13, THE LIABILITY SHALL BE ALLOCATED AMONG THE
PARTIES ACCORDING TO PRINCIPLES OF COMPARATIVE FAULT.
6-1-1311. Enforcement - penalties - repeal.
(1) (a) NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE 1, THE
ATTORNEY GENERAL AND DISTRICT ATTORNEYS HAVE EXCLUSIVE
AUTHORITY TO ENFORCE THIS PART 13 BY BRINGING AN ACTION IN THE NAME
OF THE STATE OR AS PARENS PATRIAE ON BEHALF OF PERSONS RESIDING IN
THE STATE TO ENFORCE THIS PART 13 AS PROVIDED IN THIS ARTICLE 1,
INCLUDING SEEKING AN INJUNCTION TO ENJOIN A VIOLATION OF THIS PART
13.
(b) NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE 1,
NOTHING IN THIS PART 13 SHALL BE CONSTRUED AS PROVIDING THE BASIS
FOR, OR BEING SUBJECT TO, A PRIVATE RIGHT OF ACTION FOR VIOLATIONS OF
THIS PART 13 OR ANY OTHER LAW.
(c) FOR PURPOSES ONLY OF ENFORCEMENT OF THIS PART 13 BY THE
ATTORNEY GENERAL OR A DISTRICT ATTORNEY, A VIOLATION OF THIS PART
13 IS A DECEPTIVE TRADE PRACTICE.
(d) PRIOR TO ANY ENFORCEMENT ACTION PURSUANT TO SUBSECTION
(1)(a) OF THIS SECTION, THE ATTORNEY GENERAL OR DISTRICT ATTORNEY
MUST ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER IF A CURE IS
DEEMED POSSIBLE. IF THE CONTROLLER FAILS TO CURE THE VIOLATION
WITHIN SIXTY DAYS AFTER RECEIPT OF THE NOTICE OF VIOLATION, AN
ACTION MAY BE BROUGHT PURSUANT TO THIS SECTION. THIS SUBSECTION
(1)(d) IS REPEALED, EFFECTIVE JANUARY 1, 2025.
(2) THE STATE TREASURER SHALL CREDIT ALL RECEIPTS FROM THE
IMPOSITION OF CIVIL PENALTIES UNDER THIS PART 13 PURSUANT TO SECTION
24-31-108.
6-1-1312. Preemption - local governments. THIS PART 13
SUPERSEDES AND PREEMPTS LAWS, ORDINANCES, RESOLUTIONS,
REGULATIONS, OR THE EQUIVALENT ADOPTED BY ANY STATUTORY OR HOME
PAGE 27-SENATE BILL 21-190
RULE MUNICIPALITY, COUNTY, OR CITY AND COUNTY REGARDING THE
PROCESSING OF PERSONAL DATA BY CONTROLLERS OR PROCESSORS.
6-1-1313. Rules - opt-out mechanism. (1) THE ATTORNEY
GENERAL MAY PROMULGATE RULES FOR THE PURPOSE OF CARRYING OUT
THIS PART 13.
(2) BY JULY 1, 2023, THE ATTORNEY GENERAL SHALL ADOPT RULES
THAT DETAIL THE TECHNICAL SPECIFICATIONS FOR ONE OR MORE UNIVERSAL
OPT-OUT MECHANISMS THAT CLEARLY COMMUNICATE A CONSUMER'S
AFFIRMATIVE, FREELY GIVEN, AND UNAMBIGUOUS CHOICE TO OPT OUT OF
THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF TARGETED
ADVERTISING OR THE SALE OF PERSONAL DATA PURSUANT TO SECTION
6-1-1306 (1)(a)(I)(A) OR (1)(a)(I)(B). THE ATTORNEY GENERAL MAY
UPDATE THE RULES THAT DETAIL THE TECHNICAL SPECIFICATIONS FOR THE
MECHANISMS FROM TIME TO TIME TO REFLECT THE MEANS BY WHICH
CONSUMERS INTERACT WITH CONTROLLERS. THE RULES MUST:
(a) NOT PERMIT THE MANUFACTURER OF A PLATFORM, BROWSER,
DEVICE, OR ANY OTHER PRODUCT OFFERING A UNIVERSAL OPT-OUT
MECHANISM TO UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER;
(b) REQUIRE CONTROLLERS TO INFORM CONSUMERS ABOUT THE
OPT-OUT CHOICES AVAILABLE UNDER SECTION 6-1-1306 (1)(a)(I);
(c) NOT ADOPT A MECHANISM THAT IS A DEFAULT SETTING, BUT
RATHER CLEARLY REPRESENTS THE CONSUMER'S AFFIRMATIVE, FREELY
GIVEN, AND UNAMBIGUOUS CHOICE TO OPT OUT OF THE PROCESSING OF
PERSONAL DATA PURSUANT TO SECTION 6-1-1306 (1)(a)(I)(A) OR
(1)(a)(I)(B);
(d) ADOPT A MECHANISM THAT IS CONSUMER-FRIENDLY, CLEARLY
DESCRIBED, AND EASY TO USE BY THE AVERAGE CONSUMER;
(e) ADOPT A MECHANISM THAT IS AS CONSISTENT AS POSSIBLE WITH
ANY OTHER SIMILAR MECHANISM REQUIRED BY LAW OR REGULATION IN THE
UNITED STATES; AND
(f) PERMIT THE CONTROLLER TO ACCURATELY AUTHENTICATE THE
CONSUMER AS A RESIDENT OF THIS STATE AND DETERMINE THAT THE
PAGE 28-SENATE BILL 21-190
MECHANISM REPRESENTS A LEGITIMATE REQUEST TO OPT OUT OF THE
PROCESSING OF PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING
OR THE SALE OF PERSONAL DATA PURSUANT TO SECTION 6-1-1306
(1)(a)(I)(A) OR (1)(a)(I)(B).
(3) BY JANUARY 1, 2025, THE ATTORNEY GENERAL MAY ADOPT
RULES THAT GOVERN THE PROCESS OF ISSUING OPINION LETTERS AND
INTERPRETIVE GUIDANCE TO DEVELOP AN OPERATIONAL FRAMEWORK FOR
BUSINESS THAT INCLUDES A GOOD FAITH RELIANCE DEFENSE OF AN ACTION
THAT MAY OTHERWISE CONSTITUTE A VIOLATION OF THIS PART 13. THE
RULES MUST BECOME EFFECTIVE BY JULY 1, 2025.
SECTION 2. In Colorado Revised Statutes, amend 6-1-104 as
follows:
6-1-104. Cooperative reporting. The district attorneys may
cooperate in a statewide reporting system by receiving, on forms provided
by the attorney general, complaints from persons concerning deceptive trade
practices listed in section 6-1-105 and OR part 7 OR 13 of this article
ARTICLE 1 and transmitting such THE complaints to the attorney general.
SECTION 3. In Colorado Revised Statutes, 6-1-105, add (1)(nnn)
as follows:
6-1-105. Unfair or deceptive trade practices. (1) A person
engages in a deceptive trade practice when, in the course of the person's
business, vocation, or occupation, the person:
(nnn) VIOLATES ANY PROVISION OF PART 13 OF THIS ARTICLE 1 AS
SPECIFIED IN SECTION 6-1-1311 (1)(c).
SECTION 4. In Colorado Revised Statutes, 6-1-107, amend (1)
introductory portion as follows:
6-1-107. Powers of attorney general and district attorneys.
(1) When the attorney general or a district attorney has reasonable cause to
believe that any person, whether in this state or elsewhere, has engaged in
or is engaging in any deceptive trade practice listed in section 6-1-105 or
part 7 OR 13 of this article ARTICLE 1, the attorney general or district
attorney may:
PAGE 29-SENATE BILL 21-190
SECTION 5. In Colorado Revised Statutes, 6-1-108, amend (1) as
follows:
6-1-108. Subpoenas - hearings - rules. (1) When the attorney
general or a district attorney has reasonable cause to believe that a person,
whether in this state or elsewhere, has engaged in or is engaging in a
deceptive trade practice listed in section 6-1-105 or part 7 OR 13 of this
article 1, the attorney general or a district attorney, in addition to other
powers conferred upon him or her THE ATTORNEY GENERAL OR A DISTRICT
ATTORNEY by this article 1, may issue subpoenas to require the attendance
of witnesses or the production of documents, administer oaths, conduct
hearings in aid of any investigation or inquiry, and prescribe such forms and
promulgate such rules as may be necessary to administer the provisions of
this article 1.
SECTION 6. In Colorado Revised Statutes, 6-1-110, amend (1)
and (2) as follows:
6-1-110. Restraining orders - injunctions - assurances of
discontinuance. (1) Whenever the attorney general or a district attorney
has cause to believe that a person has engaged in or is engaging in any
deceptive trade practice listed in section 6-1-105 or part 7 OR 13 of this
article ARTICLE 1, the attorney general or district attorney may apply for and
obtain, in an action in the appropriate district court of this state, a temporary
restraining order or injunction, or both, pursuant to the Colorado rules of
civil procedure, prohibiting such THE person from continuing such THE
practices, or engaging therein, or doing any act in furtherance thereof. The
court may make such orders or judgments as may be necessary to prevent
the use or employment by such THE person of any such deceptive trade
practice or which THAT may be necessary to completely compensate or
restore to the original position of any person injured by means of any such
practice or to prevent any unjust enrichment by any person through the use
or employment of any deceptive trade practice.
(2) Where the attorney general or a district attorney has authority to
institute a civil action or other proceeding pursuant to the provisions of this
article ARTICLE 1, the attorney general or district attorney may accept, in lieu
thereof or as a part thereof, an assurance of discontinuance of any deceptive
trade practice listed in section 6-1-105 or part 7 OR 13 of this article. Such
ARTICLE 1. THE assurance may include a stipulation for the voluntary
PAGE 30-SENATE BILL 21-190
payment by the alleged violator of the costs of investigation and any action
or proceeding by the attorney general or a district attorney and any amount
necessary to restore to any person any money or property that may have
been acquired by such THE alleged violator by means of any such deceptive
trade practice. Any such assurance of discontinuance accepted by the
attorney general or a district attorney and any such stipulation filed with the
court as a part of any such action or proceeding shall be IS a matter of public
record unless the attorney general or the district attorney determines, at his
or her THE discretion OF THE ATTORNEY GENERAL OR DISTRICT ATTORNEY,
that it will be confidential to the parties to the action or proceeding and to
the court and its employees. Upon the filing of a civil action by the attorney
general or a district attorney alleging that a confidential assurance of
discontinuance or stipulation accepted pursuant to this subsection (2) has
been violated, said THE assurance of discontinuance or stipulation shall
thereupon be deemed BECOMES a public record and open to inspection by
any person. Proof by a preponderance of the evidence of a violation of any
such assurance or stipulation shall constitute CONSTITUTES prima facie
evidence of a deceptive trade practice for the purposes of any civil action
or proceeding brought thereafter by the attorney general or a district
attorney, whether a new action or a subsequent motion or petition in any
pending action or proceeding.
SECTION 7. Act subject to petition - effective date -
applicability. (1) This act takes effect July 1, 2023; except that, if a
referendum petition is filed pursuant to section 1 (3) of article V of the state
constitution against this act or an item, section, or part of this act within the
ninety-day period after final adjournment of the general assembly, then the
act, item, section, or part will not take effect unless approved by the people
at the general election to be held in November 2022 and, in such case, will
take effect July 1, 2023, or on the date of the official declaration of the vote
thereon by the governor, whichever is later.
PAGE 31-SENATE BILL 21-190
(2) This act applies to conduct occurring on or after the applicable
effective date of this act.
____________________________ ____________________________
Leroy M. Garcia Alec Garnett
PRESIDENT OF SPEAKER OF THE HOUSE
THE SENATE OF REPRESENTATIVES
____________________________ ____________________________
Cindi L. Markwell Robin Jones
SECRETARY OF CHIEF CLERK OF THE HOUSE
THE SENATE OF REPRESENTATIVES
APPROVED________________________________________
(Date and Time)
_________________________________________
Jared S. Polis
GOVERNOR OF THE STATE OF COLORADO
PAGE 32-SENATE BILL 21-190
