Who Is Regulated Under the Colorado Privacy Act?
The Colorado Privacy Act regulates certain businesses that the law terms “controllers.” To qualify as a controller, a business must meet two threshold requirements.
- Determine the purposes for and the means of processing personal data
- Either conduct business in Colorado OR produce or deliver commercial products or services targeted to Colorado residents
Meeting these two requirements alone does not bring a business within the scope of the Colorado Privacy Act.
A business must meet one or both of the following additional requirements to be considered a covered controller:
- Control or process the personal data of 100,000 consumers or more during a calendar year
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 consumers or more
The Colorado Privacy Act also regulates processors. The law defines a “processor” as “a person or entity that processes personal data on behalf of a controller. The processor, in effect, is to the controller, as a HIPAA business associate is to a HIPAA covered entity.
What is Personal Data Under the Colorado Privacy Act?
The Colorado Privacy Act regulates the processing and controlling of personal data. The Colorado Privacy Act defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” Like HIPAA protected health information, personal data does not include de-identified information or publicly available.
The Colorado Privacy Act also protects a particular class of personal data known as “sensitive personal data.” The Colorado Privacy Act defines “sensitive personal data” as “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child.”