Press "Enter" to skip to content

Hybrid, Bipartisan Colorado Privacy Act Introduced

Privacy User DataOn March 19, Sen. Robert Rodriguez (D), Chair of the Business, Labor & Technology Committee, and Sen. Paul Lundeen (R), Minority Whip, introduced Senate Bill 21-190 that would create the Colorado Privacy Act. 

While the legislation has some elements in common with the California Consumer Privacy Act, the legislative declaration indicates the primary model was found elsewhere:

    The European Union’s General Data Protection Regulation is emerging as a model for countries across the globe in data privacy; and states across the United States are looking to this and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.


The Act would apply to a controller that conducts business in Colorado, or produces products or services targeted to Coloradans, and:

  1. Controls or processes the personal data of 100,000 or more consumers per year; or
  2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.


The Act would not apply, among other things, to personal data protected by the Health Insurance Portability and Availability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA), and the data privacy and security regulations adopted pursuant to those federal acts.

Notably, the Act would exempt not only the personal data collected, processed, sold or disclosed pursuant to the GLBA, but would also exempt a financial institution or affiliate subject to the GLBA.

Consumer Rights

The Act would provide consumers the right to:

  1. Opt-out of the processing of their personal information;
  2. Access personal data being processed;
  3. Correct inaccurate personal data;
  4. Delete personal data;
  5. Receive personal data in a portable format; and
  6. Appeal the refusal of a request to exercise a right.

Security Assessments

If the processing of personal data presents a “heightened risk of harm” to consumer, a controller would be required to perform data protection assessments that would be available upon request to the Attorney General, but not subject to public inspection.

Processing that would present a “heightened risk” includes processing for targeted advertising or profiling, selling personal data, and processing sensitive data.

The legislation provides a unique definition for “sale,” which “means the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”

“Sensitive data” includes, in part, personal data revealing racial or ethnic origin, religious beliefs or health conditions, genetic or biometric data, and the personal data of a child.


The legislation does not create a private right of action, with enforcement exclusively in the hands of the Attorney General and district attorneys.  In addition to injunctive relief, civil penalties of not more than $20,000 may be sought pursuant to the Colorado Consumer Protection Act, Colo. Rev. Stat. § 6-1-112.


The Act would preempt local laws seeking to regulate the processing of personal data.

Effective Date

If passed, the Act would become effective Jan. 1, 2023.  However, the legislation provides that if a timely referendum petition is filed against the Act, or any of its sections, then the Act, or those sections, would not take effect unless approved in the November 2022 general election.


This legislation is a unique hybrid, though it stays the course in terms of basic consumer data privacy principles.  It will be interesting to see how much traction it gets and whether it will continue to maintain bipartisan support.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.