The bill was presented on May 19 by Democratic Senator José Javier Rodríguez and Republican Senator Ernest Lundeen. It focuses on the protection of consumer data. However, an important point about the scope of the term consumer (which could be understood with a commercial connotation), is that the bill understands it as “a person who is a resident of Colorado and acts only in an individual or family context”, he pointed JDSUPRA.
So what are the main points?
- Applicable to: (data) controllers that conduct business or produce products or services directed to residents of the state of Colorado, provided that: (i) the number of data they control is equal to or greater than 100,000 and / or (ii) have income or receive some profit from the sale of personal data of at least 25,000 consumers.
2. The excluded?: several, including financial and related institutions (but, the logic behind this is that these financial institutions are already committed to compliance with the Gramm-Leach-Bliley Act that addresses privacy regulation on financial consumer data Similarly, other health care organizations are also excluded, under the understanding that the protection of consumer data in these sectors is already ensured by sectoral regulation.
- Consumer rights: (i) exclude yourself from the processing of your personal data, (ii) empower a third party to exclude you from processing on your behalf (iii) access the personal data that is being processed, (iv) correct the personal data entered inaccurately, (v) confirm whether the controller is processing your personal data (vi) delete your personal data from the controller's data bank.
- Controllers obligations: (i) respond to consumer requests within 45 business days, (ii) establish internal processes for handling requests, including an appeal instance, (iii) report on the purposes of data processing; (iv) collect necessary and relevant data taking reasonable measures to protect them during storage, among others.
- About sensitive information: their collection requires positive consent from the consumer.
- Processing agreements: controllers and processors (third parties also involved in data processing) must enter into data processing agreements that include instructions for processing.
If the project is approved, it would take effect on January 1, 2023.