After amending the bill to restore several of the previously eliminated privacy protections, the Colorado Senate unaimously passed the Colorado Privacy Act.
The bill was unanimously passed on May 26 and now moves to the State Assembly, and is scheduled to close on June 12.
The Colorado Privacy Act has been significantly amended from the version previously passed which had made many of the provisions more pro-business then pro-consumer. The recently passed bill has reverted these changes. Some of the revisions include:
Opt In for Collection of Sensitive Data
The bill restores the requirement that consumer consent must be obtained by controllers prior to collecting sensitive data. The previous version had replaced the consent requirement with a notice and opt-out provision.
Modified Definition of “Consent”
The bill defines “consent” to mean a “clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement, such as a written statement, including by electronic means or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose.”
New Data Processor Contract Requirements
Similar to the California Consumer Privacy Act and Virginia Consumer Data Protection Act, the bill now prescribes certain contractual requirements between controllers and processors.
Universal Opt-Out Mechanism
From January 2024, a controlloer that processes personal data for purposes of targeted advetising or the sale of personal data, must allow consumers to exercise their right to opt-out of the processing.
Clear and Conspicuous Opt Out
Controllers that process personal data for purposes of targeted advertising or the sale of personal data must “provide a clear and conspicuous method to exercise the right to opt out of the processing” of such data.
Make sure to register to PrivSec Global and hear thought-leaders discuss and debate regulatory developments in America.
Must see sessions include:
America Focus: Caribbean Data Protection and Privacy Regulations - 4pm on 22 June
America Focus: LGPD: Compliance, Enforcement and the Impact of South American Privacy Laws - 6pm on 22 June
Middle East and North Africa Focus: Data Protection and Privacy Regulations Across the Region - 9am on 23 June