July 1^st isn’t even 2 weeks behind us and Colorado Attorney General Phil Weiser has announced that enforcement letters are on their way. Weiser stated, “As I’ve said publicly throughout the process, this Department’s enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy. Our enforcement of this important law will not seek to make life challenging for organizations complying with the law, but rather will seek to support such efforts.”

While it seems the letters have not been sent yet, Weiser made it clear that the goal is to enable companies to comply through educational information that gives the organization the opportunity to implement and subsequently rectify identified compliance issues. “This Department’s enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy,” said Weiser. “These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

As a refresher, here’s a summary of the Colorado Privacy Act that went into effect on July 1, 2023.

Colorado Privacy Law Summary

• Scope: applies to entities that operate in Colorado or target Colorado citizens and, annually, either collect more than 100,000 individuals’ data, or receive revenue or otherwise benefit from the sale of personal data and process the personal data of more than 25,000 persons.
• Exemptions: Financial institutions subject to the Gramm-Leach-Bliley Act, many types of healthcare-related data and data governed by FERPA are not subject to the law.
• Consumer Rights: Consumers have the right to opt out of the sale of personal data/targeted advertising/profiling and the right to access/delete/correct their data.
• Consent: Companies must obtain consent prior to collecting or using sensitive data.
• Data Minimization: The law calls on organizations to only collect the minimum, necessary data from consumers.
• Disclosures & Notices: Consumers must have access to clear and transparent notices of what data is collected and why.
• Assessments: Companies must conduct and document a data protection assessment before conducting a processing activity that presents a heightened risk of harm to a consumer.

Why Assessments Are Key to Colorado Privacy Act Compliance

We anticipate this to be a large part of Colorado AG Weiser’s enforcement. As outlined by the Colorado Privacy Act, data protection assessments must identify and weigh the benefits that may flow from the processing of data to the controller, the consumer, other stakeholders such as third parties, and the public against the potential risks to the rights of consumers associated with the processing.

Colorado Privacy Act Enforcement Predictions

If California’s trajectory since the CPRA went into effect is any indication, these letters are a first step in warning organizations that fall in scope of the law that it’s time to comply now. “Yep, he’s serious and he wants everyone to know. If you are reading this blog, you almost certainly aren’t flaunting the law, but are aware of some that are and may want to take notice before it’s too late,” says Truyo President Dan Clarke.

If you have questions about how Truyo can help you comply with the Colorado Privacy Act through compliant disclosures and our online privacy impact assessment tool, reach out to hello@truyo.com or click here to schedule a demo of our comprehensive privacy tool.