Colorado is poised to join the growing number of states enacting a comprehensive privacy law. On Monday, June 7, both houses of the legislature passed the Colorado Privacy Act. The bill will now be sent to the Governor for approval. The Colorado Privacy Act:
The law would apply to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either: (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more. However, the law contains exceptions related to HIPAA, GLBA, COPPA, and FERPA.
In addition, the requirements under the Colorado Privacy Act do not restrict the controller’s ability to, among other things, conduct internal research to improve, repair, or develop products, services or technology; identify and repair errors; or perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller.