A new data privacy bill has been passed in Colorado that gives residents the right to delete any personal data collected by companies, and to stop companies from collecting their data in the future.
Colorado is the third state to pass a consumer data privacy bill, and much of its contents is similar to that of its predecessors: the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.
The Act will come into effect 1st July 2023, and outlines five key rights for residents over their personal data:
- The right to opt-out of the sale of their personal data
- The right to opt-out of the processing of personal data for targeted advertising
- The right to access all personal data held by a data controller and make corrections if any of this data is inaccurate
- The right to be provided a copy of their data in a ready-to-use format
- The right to have their personal data erased
The Colorado Privacy Act will apply to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year. It will also apply to those who derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.
Data controllers and other relevant entities will have specific responsibilities surrounding how they collect and process data, including informing consumers about when and why their personal data is being collected, and notifying consumers if their data is sold or used for targeted advertising.
Data controllers will also be required to minimise the collection of personal data and only gather the information they need. All data that is collected must be stored securely to prevent unauthorised access.
Sensitive information, including data relating to ethnicity, religion, mental and physical health, sexual orientation, citizenship status, genetic and biometric data, and the personal data of minors, cannot be collected and processed unless consent is provided by the consumer via an opt-in process.