Colorado has joined California and Virginia in passing a comprehensive data privacy law that forces companies to make wholesale changes to how they handle people’s sensitive information online.
The Colorado Privacy Act, which was signed into law on July 7 by Governor Jared Polis, gives consumers the right to ask companies not to sell their personal information while also giving them access to any data companies have about them. Consumers can also ask companies to delete their data, and the law forces enterprises to ask for consent to hold certain sensitive information like Social Security Numbers, drivers license numbers and more.
While some states have passed narrower laws focused on specific data collection and sale practices, Colorado is considered among experts to be the third state after California and Virginia to pass a commercial privacy law.
In addition to the rights it gives consumers, the act also forces companies to respect opt-out requests submitted on behalf of consumers. The law applies to companies that collect personal data from 100 000 Colorado residents or collect data from 25 000 Colorado residents and derive some revenue from sales.
The law, which takes effect in July 2023, was hailed by experts as a step forward for data privacy in the US, even though many had concerns about a number of loopholes in the bill that companies are already taking advantage of with California’s more comprehensive law.
Charles Farina, head of innovation at Adswerve, said it was concerning that the bill did not have a private right to action and noted all of the exemptions — particularly for non-profits.