[co-author: Stephanie Kozol]
On March 15, Colorado Attorney General Phil Weiser recorded the final version of the Colorado Privacy Act (CPA) Rules, granting Coloradans rights over their own personal data. Effective July 1, the CPA marks the third state to approve a general state privacy law, the second state to author related rules, and the nation’s first state to regulate automatic decision-making (i.e., profiling) and data protection assessments under a general state privacy law.
Specifically, the CPA gives Coloradans access to their personal data collected by businesses, nonprofits, and other entities, with the right to delete or correct that data. It also provides more control over their personal data usage, including a universal opt-out mechanism to safeguard their personal data from sales, targeted advertising, and profiling activities. Further, companies must disclose how they use the data, while also reducing consumer risk of harmful data collection. Lastly, the new law gives the Colorado AG the authority to clarify and enforce CPA compliance.
Why It Matters
Colorado’s landmark new CPA law illustrates the truly collaborative rulemaking process between the Colorado Department of Law and the public, resulting in “carefully craft[ed] rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information.”