After amending the bill to restore several of the previously eliminated privacy protections, the Colorado Senate unaimously passed the Colorado Privacy Act.

The bill was unanimously passed on May 26 and now moves to the State Assembly, and is scheduled to close on June 12. 

The Colorado Privacy Act has been significantly amended from the version previously passed which had made many of the provisions more pro-business then pro-consumer. The recently passed bill has reverted these changes. Some of the revisions include:

Opt In for Collection of Sensitive Data

The bill restores the requirement that consumer consent must be obtained by controllers prior to collecting sensitive data. The previous version had replaced the consent requirement with a notice and opt-out provision.

The bill defines “consent” to mean a “clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement, such as a written statement, including by electronic means or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose.”

New Data Processor Contract Requirements

Similar to the California Consumer Privacy Act and Virginia Consumer Data Protection Act, the bill now prescribes certain contractual requirements between controllers and processors. 

Universal Opt-Out Mechanism

From January 2024, a controlloer that processes personal data for purposes of targeted advetising or the sale of personal data, must allow consumers to exercise their right to opt-out of the processing. 

Clear and Conspicuous Opt Out

Controllers that process personal data for purposes of targeted advertising or the sale of personal data must “provide a clear and conspicuous method to exercise the right to opt out of the processing” of such data. 

Make sure to register to PrivSec Global and hear thought-leaders discuss and debate regulatory developments in America.

Must see sessions include:

  • America Focus: Caribbean Data Protection and Privacy Regulations - 4pm on 22 June

  • America Focus: LGPD: Compliance, Enforcement and the Impact of South American Privacy Laws - 6pm on 22 June

  • Middle East and North Africa Focus: Data Protection and Privacy Regulations Across the Region - 9am on 23 June