The Colorado Privacy Act is enforceable since July 1, 2023. Just as the California Attorney General has done through several sweeps (see here and here), the Colorado Attorney General, Phil Weiser, has announced through letters sent to business that enforcement of the Colorado Privacy Act has begun.
The initial round of letters are meant to educate businesses on their new obligations, with particular emphasis on the collection and use of sensitive data and related prior consent requirement as well as the obligation to allow consumers to opt out of targeted advertising and profiling.
Weiser said “These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
The 5 action items for entities covered by the Colorado Privacy Act called out by the Attorney General in this initial sweep are:
- Providing consumers with clear, understandable, and transparent information about how and why they collect, store, use, share, and sell personal data;
- Responding to consumer requests to access, delete, correct, and get a portable copy of their personal data;
- Allowing consumers to opt out of the sale of personal data as well as targeted advertising and certain kinds of profiling;
- Obtaining consent before collecting or using sensitive data; and
- Only collecting the minimum amount of personal data necessary from consumers.
The Colorado Privacy Act does not protect individuals acting in a commercial or employment context, yet the announcement from the Attorney General only calls out the employment context exception in its press release.
For updates on U.S. state privacy laws, please see our California Privacy Law blog and resource page here.
