Signed by Governor Jared Polis

Vote Smart's Synopsis:

Vote to amend and pass a bill that establishes personal privacy protections for data.

Highlights:

• Defines "controller" as a person that, alone or jointly with others, determines the purposes for and means of processing personal data (Sec. 1-6-1-1303-7).

• Alleges the ability to harness and use data in positive ways is driving innovation and brings beneficial technologies to society, but it has also created risks to privacy and freedom (Sec. 1.a.IV).

• Classifies "personal data" as the following (Sec. 1-6-1-1303-17):

• Information that is linked or reasonably linkable to an identified or identifiable individual; and

• Does not include de-identified data or publicly available information. “Publicly available information" means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.

• Specifies this law applies to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by (Sec. 1-6-1-1304.i):

• A consumer reporting agency;

• A furnisher of information that provides information for use in a consumer report; or

• A user of a consumer report.

• Specifies that obligations placed upon a controller does not extend to processing personal data for reasons of public interest in the area of public health, but solely to the extent that the processing (Sec. 1-6-1-1304-3.a.XI):

• Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and

• Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

• Establishes the following for personal data that are processed by a controller according to an exception provided by this law (Sec. 1-6-1-1304-4):

• It will not be processed for any purpose other than a purpose expressly listed in this law; and

• It will be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized.

• Authorizes consumers to exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice (Sec. 1-6-1-1306):

• Right to opt out;

• Right of access;

• Right to correction;

• Right to deletion; and

• Right to data portability.

Full Bill Text