Colorado Senate passes privacy bill

The bill was unanimously passed on May 26 and now moves to the State Assembly, and is scheduled to close on June 12. 

The Colorado Privacy Act has been significantly amended from the version previously passed which had made many of the provisions more pro-business then pro-consumer. The recently passed bill has reverted these changes. Some of the revisions include:

Opt In for Collection of Sensitive Data

The bill restores the requirement that consumer consent must be obtained by controllers prior to collecting sensitive data. The previous version had replaced the consent requirement with a notice and opt-out provision.

Modified Definition of “Consent”

The bill defines “consent” to mean a “clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement, such as a written statement, including by electronic means or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose.”

New Data Processor Contract Requirements

Similar to the California Consumer Privacy Act and Virginia Consumer Data Protection Act, the bill now prescribes certain contractual requirements between controllers and processors. 

Universal Opt-Out Mechanism

From January 2024, a controlloer that processes personal data for purposes of targeted advetising or the sale of personal data, must allow consumers to exercise their right to opt-out of the processing. 

Clear and Conspicuous Opt Out

Controllers that process personal data for purposes of targeted advertising or the sale of personal data must “provide a clear and conspicuous method to exercise the right to opt out of the processing” of such data.