SENATE
BILL
21-190
BY
SENATOR(S)
Rodriguez
and
Lundeen,
Bridges,
Buckner,
Coleman,
Cooke,
Danielson,
Donovan,
Fenberg,
Gardner,
Ginal,
Gonzales,
Hansen,
Hisey,
Holbert,
Jaquez
Lewis,
Kirkmeyer,
Kolker,
Lee,
Liston,
Moreno,
Pettersen,
Priola,
Rankin,
Scott,
Simpson,
Sonnenberg,
Story,
Winter,
Woodward,
Garcia;
also
REPRESENTATIVE(S)
Duran
and
Carver,
Bernett,
Bird,
Cutter,
Exum,
Gonzales
-Gutierrez,
Gray,
Herod,
Jodeh,
Lynch,
McCluskie,
McCormick,
Mullica,
Ricks,
Snyder,
Titone,
Valdez
A.,
Woodrow.
CONCERNING
ADDITIONAL
PROTECTION
OF
DATA
RELATING
TO
PERSONAL
PRIVACY.
Be
it
enacted
by
the
General
Assembly
of
the
State
of
Colorado:
SECTION
1.
In
Colorado
Revised
Statutes,
add
part
13
to
article
1
of
title
6
as
follows:
PART
13
COLORADO
PRIVACY
ACT
6-1-1301.
Short
title.
THE
SHORT
TITLE
OF
THIS
PART
13
IS
THE
"COLORADO
PRIVACY
ACT".
Capital
letters
or
bold
&
italic
numbers
indicate
new
material
added
to
existing
law;
dashes
through
words
or
numbers
indicate
deletions
from
existing
law
and
such
material
is
not
part
of
the
act.
6-1-1302.
Legislative
declaration.
(1)
THE
GENERAL
ASSEMBLY
HEREBY:
(a)
FINDS
THAT:
(I)
THE
PEOPLE
OF
COLORADO
REGARD
THEIR
PRIVACY
AS
A
FUNDAMENTAL
RIGHT
AND
AN
ESSENTIAL
ELEMENT
OF
THEIR
INDIVIDUAL
FREEDOM;
(II)
COLORADO'S
CONSTITUTION
EXPLICITLY
PROVIDES
THE
RIGHT
TO
PRIVACY
UNDER
SECTION
7
OF
ARTICLE
II,
AND
FUNDAMENTAL
PRIVACY
RIGHTS
HAVE
LONG
BEEN,
AND
CONTINUE
TO
BE,
INTEGRAL
TO
PROTECTING
COLORADANS
AND
TO
SAFEGUARDING
OUR
DEMOCRATIC
REPUBLIC;
(III)
ONGOING
ADVANCES
IN
TECHNOLOGY
HAVE
PRODUCED
EXPONENTIAL
GROWTH
IN
THE
VOLUME
AND
VARIETY
OF
PERSONAL
DATA
BEING
GENERATED,
COLLECTED,
STORED,
AND
ANALYZED
AND
THESE
ADVANCES
PRESENT
BOTH
PROMISE
AND
POTENTIAL
PERIL;
(IV)
THE
ABILITY
TO
HARNESS
AND
USE
DATA
IN
POSITIVE
WAYS
IS
DRIVING
INNOVATION
AND
BRINGS
BENEFICIAL
TECHNOLOGIES
TO
SOCIETY,
BUT
IT
HAS
ALSO
CREATED
RISKS
TO
PRIVACY
AND
FREEDOM;
AND
(V)
THE
UNAUTHORIZED
DISCLOSURE
OF
PERSONAL
INFORMATION
AND
LOSS
OF
PRIVACY
CAN
HAVE
DEVASTATING
IMPACTS
RANGING
FROM
FINANCIAL
FRAUD,
IDENTITY
THEFT,
AND
UNNECESSARY
COSTS
IN
PERSONAL
TIME
AND
FINANCES
TO
DESTRUCTION
OF
PROPERTY,
HARASSMENT,
REPUTATIONAL
DAMAGE,
EMOTIONAL
DISTRESS,
AND
PHYSICAL
HARM;
(b)
DETERMINES
THAT:
(I)
TECHNOLOGICAL
INNOVATION
AND
NEW
USES
OF
DATA
CAN
HELP
SOLVE
SOCIETAL
PROBLEMS
AND
IMPROVE
LIVES,
AND
IT
IS
POSSIBLE
TO
BUILD
A
WORLD
WHERE
TECHNOLOGICAL
INNOVATION
AND
PRIVACY
CAN
COEXIST;
AND
(II)
STATES
ACROSS
THE
UNITED
STATES
ARE
LOOKING
TO
THIS
PART
13
AND
SIMILAR
MODELS
TO
ENACT
STATE
-BASED
DATA
PRIVACY
REQUIREMENTS
AND
TO
EXERCISE
THE
LEADERSHIP
THAT
IS
LACKING
AT
THE
PAGE
2
-SENATE
BILL
21-190
NATIONAL
LEVEL;
AND
(c)
DECLARES
THAT:
(I)
BY
ENACTING
THIS
PART
13,
COLORADO
WILL
BE
AMONG
THE
STATES
THAT
EMPOWER
CONSUMERS
TO
PROTECT
THEIR
PRIVACY
AND
REQUIRE
COMPANIES
TO
BE
RESPONSIBLE
CUSTODIANS
OF
DATA
AS
THEY
CONTINUE
TO
INNOVATE;
(II)
THIS
PART
13
ADDRESSES
ISSUES
OF
STATEWIDE
CONCERN
AND:
(A)
PROVIDES
CONSUMERS
THE
RIGHT
TO
ACCESS,
CORRECT,
AND
DELETE
PERSONAL
DATA
AND
THE
RIGHT
TO
OPT
OUT
NOT
ONLY
OF
THE
SALE
OF
PERSONAL
DATA
BUT
ALSO
OF
THE
COLLECTION
AND
USE
OF
PERSONAL
DATA;
(B)
IMPOSES
AN
AFFIRMATIVE
OBLIGATION
UPON
COMPANIES
TO
SAFEGUARD
PERSONAL
DATA;
TO
PROVIDE
CLEAR,
UNDERSTANDABLE,
AND
TRANSPARENT
INFORMATION
TO
CONSUMERS
ABOUT
HOW
THEIR
PERSONAL
DATA
ARE
USED;
AND
TO
STRENGTHEN
COMPLIANCE
AND
ACCOUNTABILITY
BY
REQUIRING
DATA
PROTECTION
ASSESSMENTS
IN
THE
COLLECTION
AND
USE
OF
PERSONAL
DATA;
AND
(C)
EMPOWERS
THE
ATTORNEY
GENERAL
AND
DISTRICT
ATTORNEYS
TO
ACCESS
AND
EVALUATE
A
COMPANY'S
DATA
PROTECTION
ASSESSMENTS,
TO
IMPOSE
PENALTIES
WHERE
VIOLATIONS
OCCUR,
AND
TO
PREVENT
FUTURE
VIOLATIONS.
6-1-1303.
Definitions.
AS
USED
IN
THIS
PART
13,
UNLESS
THE
CONTEXT
OTHERWISE
REQUIRES:
(1)
"AFFILIATE"
MEANS
A
LEGAL
ENTITY
THAT
CONTROLS,
IS
CONTROLLED
BY,
OR
IS
UNDER
COMMON
CONTROL
WITH
ANOTHER
LEGAL
ENTITY.
AS
USED
IN
THIS
SUBSECTION
(1),
"CONTROL"
MEANS:
(a)
OWNERSHIP
OF,
CONTROL
OF,
OR
POWER
TO
VOTE
TWENTY-FIVE
PERCENT
OR
MORE
OF
THE
OUTSTANDING
SHARES
OF
ANY
CLASS
OF
VOTING
SECURITY
OF
THE
ENTITY,
DIRECTLY
OR
INDIRECTLY,
OR
ACTING
THROUGH
ONE
OR
MORE
OTHER
PERSONS;
PAGE
3
-SENATE
BILL
21-190
(b)
CONTROL
IN
ANY
MANNER
OVER
THE
ELECTION
OF
A
MAJORITY
OF
THE
DIRECTORS,
TRUSTEES,
OR
GENERAL
PARTNERS
OF
THE
ENTITY
OR
OF
INDIVIDUALS
EXERCISING
SIMILAR
FUNCTIONS;
OR
(c)
THE
POWER
TO
EXERCISE,
DIRECTLY
OR
INDIRECTLY,
A
CONTROLLING
INFLUENCE
OVER
THE
MANAGEMENT
OR
POLICIES
OF
THE
ENTITY
AS
DETERMINED
BY
THE
APPLICABLE
PRUDENTIAL
REGULATOR,
AS
THAT
TERM
IS
DEFINED
IN
12
U.S.C.
SEC.
5481
(24),
IF
ANY.
(2)
"AUTHENTICATE"
MEANS
TO
USE
REASONABLE
MEANS
TO
DETERMINE
THAT
A
REQUEST
TO
EXERCISE
ANY
OF
THE
RIGHTS
IN
SECTION
6-1-1306
(1)
IS
BEING
MADE
BY
OR
ON
BEHALF
OF
THE
CONSUMER
WHO
IS
ENTITLED
TO
EXERCISE
THE
RIGHTS.
(3)
"BUSINESS
ASSOCIATE"
HAS
THE
MEANING
ESTABLISHED
IN
45
CFR
160.103.
(4)
"CHILD"
MEANS
AN
INDIVIDUAL
UNDER
THIRTEEN
YEARS
OF
AGE.
(5)
"CONSENT"
MEANS
A
CLEAR,
AFFIRMATIVE
ACT
SIGNIFYING
A
CONSUMER'S
FREELY
GIVEN,
SPECIFIC,
INFORMED,
AND
UNAMBIGUOUS
AGREEMENT,
SUCH
AS
BY
A
WRITTEN
STATEMENT,
INCLUDING
BY
ELECTRONIC
MEANS,
OR
OTHER
CLEAR,
AFFIRMATIVE
ACTION
BY
WHICH
THE
CONSUMER
SIGNIFIES
AGREEMENT
TO
THE
PROCESSING
OF
PERSONAL
DATA.
THE
FOLLOWING
DOES
NOT
CONSTITUTE
CONSENT:
(a)
ACCEPTANCE
OF
A
GENERAL
OR
BROAD
TERMS
OF
USE
OR
SIMILAR
DOCUMENT
THAT
CONTAINS
DESCRIPTIONS
OF
PERSONAL
DATA
PROCESSING
ALONG
WITH
OTHER,
UNRELATED
INFORMATION;
(b)
HOVERING
OVER,
MUTING,
PAUSING,
OR
CLOSING
A
GIVEN
PIECE
OF
CONTENT;
AND
(c)
AGREEMENT
OBTAINED
THROUGH
DARK
PATTERNS.
(6)
"CONSUMER":
(a)
MEANS
AN
INDIVIDUAL
WHO
IS
A
COLORADO
RESIDENT
ACTING
ONLY
IN
AN
INDIVIDUAL
OR
HOUSEHOLD
CONTEXT;
AND
PAGE
4
-SENATE
BILL
21-190
(b)
DOES
NOT
INCLUDE
AN
INDIVIDUAL
ACTING
IN
A
COMMERCIAL
OR
EMPLOYMENT
CONTEXT,
AS
A
JOB
APPLICANT,
OR
AS
A
BENEFICIARY
OF
SOMEONE
ACTING
IN
AN
EMPLOYMENT
CONTEXT.
(7)
"CONTROLLER"
MEANS
A
PERSON
THAT,
ALONE
OR
JOINTLY
WITH
OTHERS,
DETERMINES
THE
PURPOSES
FOR
AND
MEANS
OF
PROCESSING
PERSONAL
DATA.
(8)
"COVERED
ENTITY"
HAS
THE
MEANING
ESTABLISHED
IN
45
CFR
160.103.
(9)
"DARK
PATTERN"
MEANS
A
USER
INTERFACE
DESIGNED
OR
MANIPULATED
WITH
THE
SUBSTANTIAL
EFFECT
OF
SUBVERTING
OR
IMPAIRING
USER
AUTONOMY,
DECISION
-MAKING,
OR
CHOICE.
(10)
"DECISIONS
THAT
PRODUCE
LEGAL
OR
SIMILARLY
SIGNIFICANT
EFFECTS
CONCERNING
A
CONSUMER"
MEANS
A
DECISION
THAT
RESULTS
IN
THE
PROVISION
OR
DENIAL
OF
FINANCIAL
OR
LENDING
SERVICES,
HOUSING,
INSURANCE,
EDUCATION
ENROLLMENT
OR
OPPORTUNITY,
CRIMINAL
JUSTICE,
EMPLOYMENT
OPPORTUNITIES,
HEALTH-CARE
SERVICES,
OR
ACCESS
TO
ESSENTIAL
GOODS
OR
SERVICES.
(11)
"DE
-IDENTIFIED
DATA"
MEANS
DATA
THAT
CANNOT
REASONABLY
BE
USED
TO
INFER
INFORMATION
ABOUT,
OR
OTHERWISE
BE
LINKED
TO,
AN
IDENTIFIED
OR
IDENTIFIABLE
INDIVIDUAL,
OR
A
DEVICE
LINKED
TO
SUCH
AN
INDIVIDUAL,
IF
THE
CONTROLLER
THAT
POSSESSES
THE
DATA:
(a)
TAKES
REASONABLE
MEASURES
TO
ENSURE
THAT
THE
DATA
CANNOT
BE
ASSOCIATED
WITH
AN
INDIVIDUAL;
(b)
PUBLICLY
COMMITS
TO
MAINTAIN
AND
USE
THE
DATA
ONLY
IN
A
DE
-IDENTIFIED
FASHION
AND
NOT
ATTEMPT
TO
RE
-IDENTIFY
THE
DATA;
AND
(C)
CONTRACTUALLY
OBLIGATES
ANY
RECIPIENTS
OF
THE
INFORMATION
TO
COMPLY
WITH
THE
REQUIREMENTS
OF
THIS
SUBSECTION
(11).
(12)
"HEALTH-CARE
FACILITY"
MEANS
ANY
ENTITY
THAT
IS
LICENSED,
CERTIFIED,
OR
OTHERWISE
AUTHORIZED
OR
PERMITTED
BY
LAW
PAGE
5
-SENATE
BILL
21-190
TO
ADMINISTER
MEDICAL
TREATMENT
IN
THIS
STATE.
(13)
"HEALTH-CARE
INFORMATION"
MEANS
INDIVIDUALLY
IDENTIFIABLE
INFORMATION
RELATING
TO
THE
PAST,
PRESENT,
OR
FUTURE
HEALTH
STATUS
OF
AN
INDIVIDUAL.
(14)
"HEALTH-CARE
PROVIDER"
MEANS
A
PERSON
LICENSED,
CERTIFIED,
OR
REGISTERED
IN
THIS
STATE
TO
PRACTICE
MEDICINE,
PHARMACY,
CHIROPRACTIC,
NURSING,
PHYSICAL
THERAPY,
PODIATRY,
DENTISTRY,
OPTOMETRY,
OCCUPATIONAL
THERAPY,
OR
OTHER
HEALING
ARTS
UNDER
TITLE
12.
(15)
"HIPAA"
MEANS
THE
FEDERAL
"HEALTH
INSURANCE
PORTABILITY
AND
ACCOUNTABILITY
ACT
OF
1996",
AS
AMENDED,
42
U.S.C.
SECS.
1320d
TO
1320d-9.
(16)
"IDENTIFIED
OR
IDENTIFIABLE
INDIVIDUAL"
MEANS
AN
INDIVIDUAL
WHO
CAN
BE
READILY
IDENTIFIED,
DIRECTLY
OR
INDIRECTLY,
IN
PARTICULAR
BY
REFERENCE
TO
AN
IDENTIFIER
SUCH
AS
A
NAME,
AN
IDENTIFICATION
NUMBER,
SPECIFIC
GEOLOCATION
DATA,
OR
AN
ONLINE
IDENTIFIER.
(17)
"PERSONAL
DATA":
(a)
MEANS
INFORMATION
THAT
IS
LINKED
OR
REASONABLY
LINKABLE
TO
AN
IDENTIFIED
OR
IDENTIFIABLE
INDIVIDUAL;
AND
(b)
DOES
NOT
INCLUDE
DE
-IDENTIFIED
DATA
OR
PUBLICLY
AVAILABLE
INFORMATION.
AS
USED
IN
THIS
SUBSECTION
(17)(b),
"PUBLICLY
AVAILABLE
INFORMATION"
MEANS
INFORMATION
THAT
IS
LAWFULLY
MADE
AVAILABLE
FROM
FEDERAL,
STATE,
OR
LOCAL
GOVERNMENT
RECORDS
AND
INFORMATION
THAT
A
CONTROLLER
HAS
A
REASONABLE
BASIS
TO
BELIEVE
THE
CONSUMER
HAS
LAWFULLY
MADE
AVAILABLE
TO
THE
GENERAL
PUBLIC.
(18)
"PROCESS"
OR
"PROCESSING"
MEANS
THE
COLLECTION,
USE,
SALE,
STORAGE,
DISCLOSURE,
ANALYSIS,
DELETION,
OR
MODIFICATION
OF
PERSONAL
DATA
AND
INCLUDES
THE
ACTIONS
OF
A
CONTROLLER
DIRECTING
A
PROCESSOR
TO
PROCESS
PERSONAL
DATA.
(19)
"PROCESSOR"
MEANS
A
PERSON
THAT
PROCESSES
PERSONAL
PAGE
6
-SENATE
BILL
21-190
DATA
ON
BEHALF
OF
A
CONTROLLER.
(20)
"PROFILING"
MEANS
ANY
FORM
OF
AUTOMATED
PROCESSING
OF
PERSONAL
DATA
TO
EVALUATE,
ANALYZE,
OR
PREDICT
PERSONAL
ASPECTS
CONCERNING
AN
IDENTIFIED
OR
IDENTIFIABLE
INDIVIDUAL'S
ECONOMIC
SITUATION,
HEALTH,
PERSONAL
PREFERENCES,
INTERESTS,
RELIABILITY,
BEHAVIOR,
LOCATION,
OR
MOVEMENTS.
(21)
"PROTECTED
HEALTH
INFORMATION"
HAS
THE
MEANING
ESTABLISHED
IN
45
CFR
160.103.
(22)
"PSEUDONYMOUS
DATA"
MEANS
PERSONAL
DATA
THAT
CAN
NO
LONGER
BE
ATTRIBUTED
TO
A
SPECIFIC
INDIVIDUAL
WITHOUT
THE
USE
OF
ADDITIONAL
INFORMATION
IF
THE
ADDITIONAL
INFORMATION
IS
KEPT
SEPARATELY
AND
IS
SUBJECT
TO
TECHNICAL
AND
ORGANIZATIONAL
MEASURES
TO
ENSURE
THAT
THE
PERSONAL
DATA
ARE
NOT
ATTRIBUTED
TO
A
SPECIFIC
INDIVIDUAL.
(23)
(a)
"SALE",
"SELL",
OR
"SOLD"
MEANS
THE
EXCHANGE
OF
PERSONAL
DATA
FOR
MONETARY
OR
OTHER
VALUABLE
CONSIDERATION
BY
A
CONTROLLER
TO
A
THIRD
PARTY.
(b)
"SALE",
"SELL",
OR
"SOLD"
DOES
NOT
INCLUDE
THE
FOLLOWING:
(I)
THE
DISCLOSURE
OF
PERSONAL
DATA
TO
A
PROCESSOR
THAT
PROCESSES
THE
PERSONAL
DATA
ON
BEHALF
OF
A
CONTROLLER;
(II)
THE
DISCLOSURE
OF
PERSONAL
DATA
TO
A
THIRD
PARTY
FOR
PURPOSES
OF
PROVIDING
A
PRODUCT
OR
SERVICE
REQUESTED
BY
THE
CONSUMER;
(III)
THE
DISCLOSURE
OR
TRANSFER
OF
PERSONAL
DATA
TO
AN
AFFILIATE
OF
THE
CONTROLLER;
(IV)
THE
DISCLOSURE
OR
TRANSFER
TO
A
THIRD
PARTY
OF
PERSONAL
DATA
AS
AN
ASSET
THAT
IS
PART
OF
A
PROPOSED
OR
ACTUAL
MERGER,
ACQUISITION,
BANKRUPTCY,
OR
OTHER
TRANSACTION
IN
WHICH
THE
THIRD
PARTY
ASSUMES
CONTROL
OF
ALL
OR
PART
OF
THE
CONTROLLER'S
ASSETS;
OR
PAGE
7
-SENATE
BILL
21-190
(V)
THE
DISCLOSURE
OF
PERSONAL
DATA:
(A)
THAT
A
CONSUMER
DIRECTS
THE
CONTROLLER
TO
DISCLOSE
OR
INTENTIONALLY
DISCLOSES
BY
USING
THE
CONTROLLER
TO
INTERACT
WITH
A
THIRD
PARTY;
OR
(B)
INTENTIONALLY
MADE
AVAILABLE
BY
A
CONSUMER
TO
THE
GENERAL
PUBLIC
VIA
A
CHANNEL
OF
MASS
MEDIA.
(24)
"SENSITIVE
DATA"
MEANS:
(a)
PERSONAL
DATA
REVEALING
RACIAL
OR
ETHNIC
ORIGIN,
RELIGIOUS
BELIEFS,
A
MENTAL
OR
PHYSICAL
HEALTH
CONDITION
OR
DIAGNOSIS,
SEX
LIFE
OR
SEXUAL
ORIENTATION,
OR
CITIZENSHIP
OR
CITIZENSHIP
STATUS;
(b)
GENETIC
OR
BIOMETRIC
DATA
THAT
MAY
BE
PROCESSED
FOR
THE
PURPOSE
OF
UNIQUELY
IDENTIFYING
AN
INDIVIDUAL;
OR
(c)
PERSONAL
DATA
FROM
A
KNOWN
CHILD.
(25)
"TARGETED
ADVERTISING":
(a)
MEANS
DISPLAYING
TO
A
CONSUMER
AN
ADVERTISEMENT
THAT
IS
SELECTED
BASED
ON
PERSONAL
DATA
OBTAINED
OR
INFERRED
OVER
TIME
FROM
THE
CONSUMER'S
ACTIVITIES
ACROSS
NONAFFILIATED
WEBSITES,
APPLICATIONS,
OR
ONLINE
SERVICES
TO
PREDICT
CONSUMER
PREFERENCES
OR
INTERESTS;
AND
(b)
DOES
NOT
INCLUDE:
(I)
ADVERTISING
TO
A
CONSUMER
IN
RESPONSE
TO
THE
CONSUMER'S
REQUEST
FOR
INFORMATION
OR
FEEDBACK;
(II)
ADVERTISEMENTS
BASED
ON
ACTIVITIES
WITHIN
A
CONTROLLER'S
OWN
WEBSITES
OR
ONLINE
APPLICATIONS;
(III)
ADVERTISEMENTS
BASED
ON
THE
CONTEXT
OF
A
CONSUMER'S
CURRENT
SEARCH
QUERY,
VISIT
TO
A
WEBSITE,
OR
ONLINE
APPLICATION;
OR
PAGE
8
-SENATE
BILL
21-190
(IV)
PROCESSING
PERSONAL
DATA
SOLELY
FOR
MEASURING
OR
REPORTING
ADVERTISING
PERFORMANCE,
REACH,
OR
FREQUENCY.
(26)
"THIRD
PARTY"
MEANS
A
PERSON,
PUBLIC
AUTHORITY,
AGENCY,
OR
BODY
OTHER
THAN
A
CONSUMER,
CONTROLLER,
PROCESSOR,
OR
AFFILIATE
OF
THE
PROCESSOR
OR
THE
CONTROLLER.
6-1-1304.
Applicability
of
part.
(1)
EXCEPT
AS
SPECIFIED
IN
SUBSECTION
(2)
OF
THIS
SECTION,
THIS
PART
13
APPLIES
TO
A
CONTROLLER
THAT:
(a)
CONDUCTS
BUSINESS
IN
COLORADO
OR
PRODUCES
OR
DELIVERS
COMMERCIAL
PRODUCTS
OR
SERVICES
THAT
ARE
INTENTIONALLY
TARGETED
TO
RESIDENTS
OF
COLORADO;
AND
(b)
SATISFIES
ONE
OR
BOTH
OF
THE
FOLLOWING
THRESHOLDS:
(I)
CONTROLS
OR
PROCESSES
THE
PERSONAL
DATA
OF
ONE
HUNDRED
THOUSAND
CONSUMERS
OR
MORE
DURING
A
CALENDAR
YEAR;
OR
(II)
DERIVES
REVENUE
OR
RECEIVES
A
DISCOUNT
ON
THE
PRICE
OF
GOODS
OR
SERVICES
FROM
THE
SALE
OF
PERSONAL
DATA
AND
PROCESSES
OR
CONTROLS
THE
PERSONAL
DATA
OF
TWENTY-FIVE
THOUSAND
CONSUMERS
OR
MORE.
(2)
THIS
PART
13
DOES
NOT
APPLY
TO:
(a)
PROTECTED
HEALTH
INFORMATION
THAT
IS
COLLECTED,
STORED,
AND
PROCESSED
BY
A
COVERED
ENTITY
OR
ITS
BUSINESS
ASSOCIATES;
(b)
HEALTH-CARE
INFORMATION
THAT
IS
GOVERNED
BY
PART
8
OF
ARTICLE
1
OF
TITLE
25
SOLELY
FOR
THE
PURPOSE
OF
ACCESS
TO
MEDICAL
RECORDS;
(c)
PATIENT
IDENTIFYING
INFORMATION,
AS
DEFINED
IN
42
CFR
2.11,
THAT
ARE
GOVERNED
BY
AND
COLLECTED
AND
PROCESSED
PURSUANT
TO
42
CFR
2,
ESTABLISHED
PURSUANT
TO
42
U.S.C.
SEC.
290dd-2;
(d)
IDENTIFIABLE
PRIVATE
INFORMATION,
AS
DEFINED
IN
45
CFR
46.102,
FOR
PURPOSES
OF
THE
FEDERAL
POLICY
FOR
THE
PROTECTION
OF
PAGE
9
-SENATE
BILL
21-190
HUMAN
SUBJECTS
PURSUANT
TO
45
CFR
46;
IDENTIFIABLE
PRIVATE
INFORMATION
THAT
IS
COLLECTED
AS
PART
OF
HUMAN
SUBJECTS
RESEARCH
PURSUANT
TO
THE
ICH
E6
GOOD
CLINICAL
PRACTICE
GUIDELINE
ISSUED
BY
THE
INTERNATIONAL
COUNCIL
FOR
HARMONISATION
OF
TECHNICAL
REQUIREMENTS
FOR
PHARMACEUTICALS
FOR
HUMAN
USE
OR
THE
PROTECTION
OF
HUMAN
SUBJECTS
UNDER
21
CFR
50
AND
56;
OR
PERSONAL
DATA
USED
OR
SHARED
IN
RESEARCH
CONDUCTED
IN
ACCORDANCE
WITH
ONE
OR
MORE
OF
THE
CATEGORIES
SET
FORTH
IN
THIS
SUBSECTION
(2)(d);
(e)
INFORMATION
AND
DOCUMENTS
CREATED
BY
A
COVERED
ENTITY
FOR PURPOSES
OF
COMPLYING
WITH
HIPAA
AND
ITS
IMPLEMENTING
REGULATIONS;
(f)
PATIENT
SAFETY
WORK
PRODUCT,
AS
DEFINED
IN
42
CFR
3.20,
THAT
IS
CREATED
FOR
PURPOSES
OF
PATIENT
SAFETY
IMPROVEMENT
PURSUANT
TO
42
CFR
3,
ESTABLISHED
PURSUANT
TO
42
U.S.C.
SECS.
299b-21
TO
299b-26;
(g)
INFORMATION
THAT
IS:
(I)
DE
-IDENTIFIED
IN
ACCORDANCE
WITH
THE
REQUIREMENTS
FOR
DE
-IDENTIFICATION
SET
FORTH
IN
45
CFR
164;
AND
(II)
DERIVED
FROM
ANY
OF
THE
HEALTH
-CARE
-RELATED
INFORMATION
DESCRIBED
IN
THIS
SECTION.
(h)
INFORMATION
MAINTAINED
IN
THE
SAME
MANNER
AS
INFORMATION
UNDER
SUBSECTIONS
(2)(a)
TO
(2)(g)
OF
THIS
SECTION
BY:
(I)
A
COVERED
ENTITY
OR
BUSINESS
ASSOCIATE;
(II)
A
HEALTH-CARE
FACILITY
OR
HEALTH-CARE
PROVIDER;
OR
(III)
A
PROGRAM
OF
A
QUALIFIED
SERVICE
ORGANIZATION
AS
DEFINED
IN
42
CFR
2.11;
(i)
(I)
EXCEPT
AS
PROVIDED
IN
SUBSECTION
(2)(i)(II)
OF
THIS
SECTION,
AN
ACTIVITY
INVOLVING THE
COLLECTION,
MAINTENANCE,
DISCLOSURE,
SALE,
COMMUNICATION,
OR
USE
OF
ANY
PERSONAL
DATA
BEARING
ON
A
CONSUMER'S
CREDITWORTHINESS,
CREDIT
STANDING,
CREDIT
PAGE
10
-SENATE
BILL
21-190
CAPACITY,
CHARACTER,
GENERAL
REPUTATION,
PERSONAL
CHARACTERISTICS,
OR
MODE
OF
LIVING
BY:
(A)
A
CONSUMER
REPORTING
AGENCY
AS
DEFINED
IN
15
U.S.C.
SEC.
1681a
(f);
(B)
A
FURNISHER
OF
INFORMATION
AS
SET
FORTH
IN
15
U.S.C.
SEC.
1681s-2
THAT
PROVIDES
INFORMATION
FOR
USE
IN
A
CONSUMER
REPORT,
AS
DEFINED
IN
15
U.S.C.
SEC.
1681a
(d);
OR
(C)
A
USER
OF
A
CONSUMER
REPORT
AS
SET
FORTH
IN
15
U.S.C.
SEC.
1681b.
(II)
THIS
SUBSECTION
(2)(i)
APPLIES
ONLY
TO
THE
EXTENT
THAT
THE
ACTIVITY
IS
REGULATED
BY
THE
FEDERAL
"FAIR
CREDIT
REPORTING
ACT",
15
U.S.C.
SEC.
1681
ET
SEQ.,
AS
AMENDED,
AND
THE
PERSONAL
DATA
ARE
NOT
COLLECTED,
MAINTAINED,
DISCLOSED,
SOLD,
COMMUNICATED,
OR
USED
EXCEPT
AS
AUTHORIZED
BY
THE
FEDERAL
"FAIR
CREDIT
REPORTING
ACT",
AS
AMENDED.
(j)
PERSONAL
DATA:
(I)
COLLECTED
AND
MAINTAINED
FOR
PURPOSES
OF
ARTICLE
22
OF
TITLE
10;
(II)
COLLECTED,
PROCESSED,
SOLD,
OR
DISCLOSED
PURSUANT
TO
THE
FEDERAL
"GRAMM-LEACH-BLILEY
ACT",
15
U.S.C.
SEC.
6801
ET
SEQ.,
AS
AMENDED,
AND
IMPLEMENTING
REGULATIONS,
IF
THE
COLLECTION,
PROCESSING,
SALE,
OR
DISCLOSURE
IS
IN
COMPLIANCE
WITH
THAT
LAW;
(III)
COLLECTED,
PROCESSED,
SOLD,
OR
DISCLOSED
PURSUANT
TO
THE
FEDERAL
"DRIVER'S
PRIVACY
PROTECTION
ACT
OF
1994",
18
U.S.C.
SEC.
2721
ET
SEQ.,
AS
AMENDED,
IF
THE
COLLECTION,
PROCESSING,
SALE,
OR
DISCLOSURE
IS
REGULATED
BY
THAT
LAW,
INCLUDING
IMPLEMENTING
RULES,
REGULATIONS,
OR
EXEMPTIONS;
(IV)
REGULATED
BY
THE
FEDERAL
"CHILDREN'S
ONLINE
PRIVACY
PROTECTION
ACT
OF
1998",
15
U.S.C.
SECS.
6501TO
6506,
AS
AMENDED,
IF
COLLECTED,
PROCESSED,
AND
MAINTAINED
IN
COMPLIANCE
WITH
THAT
LAW;
OR
PAGE
11
-SENATE
BILL
21-190
(V)
REGULATED
BY
THE
FEDERAL
"FAMILY
EDUCATIONAL
RIGHTS
AND
PRIVACY
ACT
OF
1974",
20
U.S.C.
SEC.
1232g
ET
SEQ.,
AS
AMENDED,
AND
ITS
IMPLEMENTING
REGULATIONS;
(k)
DATA
MAINTAINED
FOR
EMPLOYMENT
RECORDS
PURPOSES;
(1)
AN
AIR
CARRIER
AS
DEFINED
IN
AND
REGULATED
UNDER
49
U.S.C.
SEC.
40101
ET
SEQ.,
AS
AMENDED,
AND
49
U.S.C.
SEC.
41713,
AS
AMENDED;
(m)
A
NATIONAL
SECURITIES
ASSOCIATION
REGISTERED
PURSUANT
TO
THE
FEDERAL
"SECURITIES
EXCHANGE
ACT
OF
1934",
15
U.S.C.
SEC.
78o-3,
AS
AMENDED,
OR
IMPLEMENTING
REGULATIONS;
(n)
CUSTOMER
DATA
MAINTAINED
BY
A
PUBLIC
UTILITY
AS
DEFINED
IN
SECTION
40-1-103
(1)(a)(I)
OR
AN
AUTHORITY
AS
DEFINED
IN
SECTION
43-4-503
(1),
IF
THE
DATA
ARE
NOT
COLLECTED,
MAINTAINED,
DISCLOSED,
SOLD,
COMMUNICATED,
OR
USED
EXCEPT
AS
AUTHORIZED
BY
STATE
AND
FEDERAL
LAW;
(o)
DATA
MAINTAINED
BY
A
STATE
INSTITUTION
OF
HIGHER
EDUCATION,
AS
DEFINED
IN
SECTION
23-18-102
(10),
THE STATE,
THE
JUDICIAL
DEPARTMENT
OF
THE
STATE,
OR
A
COUNTY,
CITY
AND
COUNTY,
OR
MUNICIPALITY
IF
THE
DATA
IS
COLLECTED,
MAINTAINED,
DISCLOSED,
COMMUNICATED,
AND
USED
AS
AUTHORIZED
BY
STATE
AND
FEDERAL
LAW
FORNONCOMMERCIAL
PURPOSES.
THIS
SUBSECTION
(2)(o)
DOES
NOT
EFFECT
ANY
OTHER
EXEMPTION
AVAILABLE
UNDER
THIS
PART
13.
(p)
INFORMATION
USED
AND
DISCLOSED
IN
COMPLIANCE
WITH
45
CFR
164.512;
OR
(q)
A
FINANCIAL
INSTITUTION
OR
AN
AFFILIATE
OF
A
FINANCIAL
INSTITUTION
AS
DEFINED
BY
AND
THAT
IS
SUBJECT
TO
THE
FEDERAL
"GRAMM-LEACH-BLILEY
ACT",
15
U.S.C.
SEC.
6801
ET
SEQ.,
AS
AMENDED,
AND
IMPLEMENTING
REGULATIONS,
INCLUDING
REGULATION
P,
12
CFR
1016.
(3)
THE
OBLIGATIONS
IMPOSED
ON
CONTROLLERS
OR
PROCESSORS
UNDER
THIS
PART
13
DO
NOT:
(a)
RESTRICT
A
CONTROLLER'S
OR
PROCESSOR'S
ABILITY
TO:
PAGE
12
-SENATE
BILL
21-190
(I)
COMPLY
WITH
FEDERAL,
STATE,
OR
LOCAL
LAWS,
RULES,
OR
REGULATIONS;
(II)
COMPLY
WITH
A
CIVIL,
CRIMINAL,
OR
REGULATORY
INQUIRY,
INVESTIGATION,
SUBPOENA,
OR
SUMMONS
BY
FEDERAL,
STATE,
LOCAL,
OR
OTHER
GOVERNMENTAL
AUTHORITIES;
(III)
COOPERATE
WITH
LAW
ENFORCEMENT
AGENCIES
CONCERNING
CONDUCT
OR
ACTIVITY
THAT
THE
CONTROLLER
OR
PROCESSOR
REASONABLY
AND
IN
GOOD
FAITH
BELIEVES
MAY
VIOLATE
FEDERAL,
STATE,
OR
LOCAL
LAW;
(IV)
INVESTIGATE,
EXERCISE,
PREPARE
FOR,
OR
DEFEND
ACTUAL
OR
ANTICIPATED
LEGAL
CLAIMS;
(V)
CONDUCT
INTERNAL
RESEARCH
TO
IMPROVE,
REPAIR,
OR
DEVELOP
PRODUCTS,
SERVICES,
OR
TECHNOLOGY;
(VI)
IDENTIFY
AND
REPAIR
TECHNICAL
ERRORS
THAT
IMPAIR
EXISTING
OR
INTENDED
FUNCTIONALITY;
(VII)
PERFORM
INTERNAL
OPERATIONS
THAT
ARE
REASONABLY
ALIGNED
WITH
THE
EXPECTATIONS
OF
THE
CONSUMER
BASED
ON
THE
CONSUMER'S
EXISTING
RELATIONSHIP
WITH
THE
CONTROLLER;
(VIII)
PROVIDE
A
PRODUCT
OR
SERVICE
SPECIFICALLY
REQUESTED
BY
A
CONSUMER
OR
THE
PARENT
OR
GUARDIAN
OF
A
CHILD,
PERFORM
A
CONTRACT
TO
WHICH
THE
CONSUMER
IS
A
PARTY,
OR
TAKE
STEPS
AT
THE
REQUEST
OF
THE
CONSUMER
PRIOR
TO
ENTERING
INTO
A
CONTRACT;
(IX)
PROTECT
THE
VITAL
INTERESTS
OF
THE
CONSUMER
OR
OF
ANOTHER
INDIVIDUAL;
(X)
PREVENT,
DETECT,
PROTECT
AGAINST,
OR
RESPOND
TO
SECURITY
INCIDENTS,
IDENTITY
THEFT,
FRAUD,
HARASSMENT,
OR
MALICIOUS,
DECEPTIVE,
OR
ILLEGAL
ACTIVITY;
PRESERVE
THE
INTEGRITY
OR
SECURITY
OF
SYSTEMS;
OR
INVESTIGATE,
REPORT,
OR
PROSECUTE
THOSE
RESPONSIBLE
FOR
ANY
SUCH
ACTION;
(XI)
PROCESS
PERSONAL
DATA
FOR
REASONS
OF
PUBLIC
INTEREST
IN
PAGE
13
-SENATE
BILL
21-190
THE
AREA
OF
PUBLIC
HEALTH,
BUT
SOLELY
TO
THE
EXTENT
THAT
THE
PROCESSING:
(A)
IS
SUBJECT
TO
SUITABLE
AND
SPECIFIC
MEASURES
TO
SAFEGUARD
THE
RIGHTS
OF
THE
CONSUMER
WHOSE
PERSONAL
DATA
ARE
PROCESSED;
AND
(B)
IS
UNDER
THE
RESPONSIBILITY
OF
A
PROFESSIONAL
SUBJECT
TO
CONFIDENTIALITY
OBLIGATIONS
UNDER
FEDERAL,
STATE,
OR
LOCAL
LAW;
OR
(XII)
ASSIST
ANOTHER
PERSON
WITH
ANY
OF
THE
ACTIVITIES
SET
FORTH
IN
THIS
SUBSECTION
(3);
(b)
APPLY
WHERE
COMPLIANCE
BY
THE
CONTROLLER
OR
PROCESSOR
WITH
THIS
PART
13
WOULD
VIOLATE
AN
EVIDENTIARY
PRIVILEGE
UNDER
COLORADO
LAW;
(c)
PREVENT
A
CONTROLLER
OR
PROCESSOR
FROM
PROVIDING
PERSONAL
DATA
CONCERNING
A
CONSUMER
TO
A
PERSON
COVERED
BY
AN
EVIDENTIARY
PRIVILEGE
UNDER
COLORADO
LAW
AS
PART
OF
A
PRIVILEGED
COMMUNICATION;
(d)
APPLY
TO
INFORMATION
MADE
AVAILABLE
BY
A
THIRD
PARTY
THAT
THE
CONTROLLER
HAS
A
REASONABLE
BASIS
TO
BELIEVE
IS
PROTECTED
SPEECH
PURSUANT
TO
APPLICABLE
LAW;
AND
(e)
APPLY
TO
THE
PROCESSING
OF
PERSONAL
DATA
BY
AN
INDIVIDUAL
IN
THE
COURSE
OF
A
PURELY
PERSONAL
OR
HOUSEHOLD
ACTIVITY.
(4)
PERSONAL
DATA
THAT
ARE
PROCESSED
BY
A
CONTROLLER
PURSUANT
TO
AN
EXCEPTION
PROVIDED
BY
THIS
SECTION:
(a)
SHALL
NOT
BE
PROCESSED
FOR
ANY
PURPOSE
OTHER
THAN
A
PURPOSE
EXPRESSLY
LISTED
IN
THIS
SECTION
OR
AS
OTHERWISE
AUTHORIZED
BY
THIS
PART
13;
AND
(b)
SHALL
BE
PROCESSED
SOLELY
TO
THE
EXTENT
THAT
THE
PROCESSING
IS
NECESSARY,
REASONABLE,
AND
PROPORTIONATE
TO
THE
SPECIFIC
PURPOSE
OR
PURPOSES
LISTED
IN
THIS
SECTION
OR
AS
OTHERWISE
PAGE
14
-SENATE
BILL
21-190
AUTHORIZED
BY
THIS
PART
13.
(5)
IF
A
CONTROLLER
PROCESSES
PERSONAL
DATA
PURSUANT
TO
AN
EXEMPTION
IN
THIS
SECTION,
THE
CONTROLLER
BEARS
THE
BURDEN
OF
DEMONSTRATING
THAT
THE
PROCESSING
QUALIFIES
FOR
THE
EXEMPTION
AND
COMPLIES
WITH
THE
REQUIREMENTS
IN
SUBSECTION
(4)
OF
THIS
SECTION.
6-1-1305.
Responsibility
according
to
role.
(1)
CONTROLLERS
AND
PROCESSORS
SHALL
MEET
THEIR
RESPECTIVE
OBLIGATIONS
ESTABLISHED
UNDER
THIS
PART
13.
(2)
PROCESSORS
SHALL
ADHERE
TO
THE
INSTRUCTIONS
OF
THE
CONTROLLER
AND
ASSIST
THE
CONTROLLER
TO
MEET
ITS
OBLIGATIONS
UNDER
THIS
PART
13.
TAKING
INTO
ACCOUNT
THE
NATURE
OF
PROCESSING
AND
THE
INFORMATION
AVAILABLE
TO
THE
PROCESSOR,
THE
PROCESSOR
SHALL
ASSIST
THE
CONTROLLER
BY:
(a)
TAKING
APPROPRIATE
TECHNICAL
AND
ORGANIZATIONAL
MEASURES,
INSOFAR
AS
THIS
IS
POSSIBLE,
FOR
THE
FULFILLMENT
OF
THE
CONTROLLER'S
OBLIGATION
TO
RESPOND
TO
CONSUMER
REQUESTS
TO
EXERCISE
THEIR
RIGHTS
PURSUANT
TO
SECTION
6-1-1306;
(b)
HELPING
TO
MEET
THE
CONTROLLER'S
OBLIGATIONS
IN
RELATION
TO
THE
SECURITY
OF
PROCESSING
THE
PERSONAL
DATA
AND
IN
RELATION
TO
THE
NOTIFICATION
OF
A
BREACH
OF
THE
SECURITY
OF
THE
SYSTEM
PURSUANT
TO
SECTION
6-1-716;
AND
(c)
PROVIDING
INFORMATION
TO
THE
CONTROLLER
NECESSARY
TO
ENABLE
THE
CONTROLLER
TO
CONDUCT
AND
DOCUMENT
ANY
DATA
PROTECTION
ASSESSMENTS
REQUIRED
BY
SECTION
6-1-1309.
THE
CONTROLLER
AND
PROCESSOR
ARE
EACH
RESPONSIBLE
FOR
ONLY
THE
MEASURES
ALLOCATED
TO
THEM.
(3)
NOTWITHSTANDING
THE
INSTRUCTIONS
OF
THE
CONTROLLER,
A
PROCESSOR
SHALL:
(a)
ENSURE
THAT
EACH
PERSON
PROCESSING
THE
PERSONAL
DATA
IS
SUBJECT
TO
A
DUTY
OF
CONFIDENTIALITY
WITH
RESPECT
TO
THE
DATA;
AND
(b)
ENGAGE
A
SUBCONTRACTOR
ONLY
AFTER
PROVIDING
THE
PAGE
15
-SENATE
BILL
21-190
CONTROLLER
WITH
AN
OPPORTUNITY
TO
OBJECT
AND
PURSUANT
TO
A
WRITTEN
CONTRACT
IN
ACCORDANCE
WITH
SUBSECTION
(5)
OF
THIS
SECTION
THAT
REQUIRES
THE
SUBCONTRACTOR
TO
MEET
THE
OBLIGATIONS
OF
THE
PROCESSOR
WITH
RESPECT
TO
THE
PERSONAL
DATA.
(4)
TAKING
INTO
ACCOUNT
THE
CONTEXT
OF
PROCESSING,
THE
CONTROLLER
AND
THE
PROCESSOR
SHALL
IMPLEMENT
APPROPRIATE
TECHNICAL
AND
ORGANIZATIONAL
MEASURES
TO
ENSURE
A
LEVEL
OF
SECURITY
APPROPRIATE
TO
THE
RISK
AND
ESTABLISH
A
CLEAR
ALLOCATION
OF
THE
RESPONSIBILITIES
BETWEEN
THEM
TO
IMPLEMENT
THE
MEASURES.
(5)
PROCESSING
BY
A
PROCESSOR
MUST
BE
GOVERNED
BY
A
CONTRACT
BETWEEN
THE
CONTROLLER
AND
THE
PROCESSOR
THAT
IS
BINDING
ON
BOTH
PARTIES
AND
THAT
SETS
OUT:
(a)
THE
PROCESSING
INSTRUCTIONS
TO
WHICH
THE
PROCESSOR
IS
BOUND,
INCLUDING
THE
NATURE
AND
PURPOSE
OF
THE
PROCESSING;
(b)
THE
TYPE
OF
PERSONAL
DATA
SUBJECT
TO
THE
PROCESSING,
AND
THE
DURATION
OF
THE
PROCESSING;
(c)
THE
REQUIREMENTS
IMPOSED
BY
THIS
SUBSECTION
(5)
AND
SUBSECTIONS
(3)
AND
(4)
OF
THIS
SECTION;
AND
(d)
THE
FOLLOWING
REQUIREMENTS:
(I)
AT
THE
CHOICE
OF
THE
CONTROLLER,
THE
PROCESSOR
SHALL
DELETE
OR
RETURN
ALL
PERSONAL
DATA
TO
THE
CONTROLLER
AS
REQUESTED
AT
THE
END
OF
THE
PROVISION
OF
SERVICES,
UNLESS
RETENTION
OF
THE
PERSONAL
DATA
IS
REQUIRED
BY
LAW;
(II)
(A)
THE
PROCESSOR
SHALL
MAKE
AVAILABLE
TO
THE
CONTROLLER
ALL
INFORMATION
NECESSARY
TO
DEMONSTRATE
COMPLIANCE
WITH
THE
OBLIGATIONS
IN
THIS
PART
13;
AND
(B)
THE
PROCESSOR
SHALL
ALLOW
FOR,
AND
CONTRIBUTE
TO,
REASONABLE
AUDITS
AND
INSPECTIONS
BY
THE
CONTROLLER
OR
THE
CONTROLLER'S
DESIGNATED
AUDITOR.
ALTERNATIVELY,
THE
PROCESSOR
MAY,
WITH
THE
CONTROLLER'S
CONSENT,
ARRANGE
FOR
A
QUALIFIED
AND
INDEPENDENT
AUDITOR
TO
CONDUCT,
AT
LEAST
ANNUALLY
AND
AT
THE
PAGE
16
-SENATE
BILL
21-190
PROCESSOR'S
EXPENSE,
AN
AUDIT
OF
THE
PROCESSOR'S
POLICIES
AND
TECHNICAL
AND
ORGANIZATIONAL
MEASURES
Ii\I
SUPPORT
OF
THE
OBLIGATIONS
UNDER
THIS
PART
13
USING
AN
APPROPRIATE
AND
ACCEPTED
CONTROL
STANDARD
OR
FRAMEWORK
AND
AUDIT
PROCEDURE
FOR
THE
AUDITS
AS
APPLICABLE.
THE
PROCESSOR
SHALL
PROVIDE
A
REPORT
OF
THE
AUDIT
TO
THE
CONTROLLER
UPON
REQUEST.
(6)
IN
NO
EVENT
MAY
A
CONTRACT
RELIEVE
A
CONTROLLER
OR
A
PROCESSOR
FROM
THE
LIABILITIES
IMPOSED
ON
THEM
BY
VIRTUE
OF
ITS
ROLE
IN
THE
PROCESSING
RELATIONSHIP
AS
DEFINED
BY
THIS
PART
13.
(7)
DETERMINING
WHETHER
A
PERSON
IS
ACTING
AS
A
CONTROLLER
OR
PROCESSOR
WITH
RESPECT
TO
A
SPECIFIC
PROCESSING
OF
DATA
IS
A
FACT
-BASED
DETERMINATION
THAT
DEPENDS
UPON
THE
CONTEXT
IN
WHICH
PERSONAL
DATA
ARE
TO
BE
PROCESSED.
A
PERSON
THAT
IS
NOT
LIMITED
IN
ITS
PROCESSING
OF
PERSONAL
DATA
PURSUANT
TO
A
CONTROLLER'S
INSTRUCTIONS,
OR
THAT
FAILS
TO
ADHERE
TO
THE
INSTRUCTIONS,
IS
A
CONTROLLER
AND
NOT
A
PROCESSOR
WITH
RESPECT
TO
A
SPECIFIC
PROCESSING
OF
DATA.
A
PROCESSOR
THAT
CONTINUES
TO
ADHERE
TO
A
CONTROLLER'S
INSTRUCTIONS
WITH
RESPECT
TO
A
SPECIFIC
PROCESSING
OF
PERSONAL
DATA
REMAINS
A
PROCESSOR.
IF
A
PROCESSOR
BEGINS,
ALONE
OR
JOINTLY
WITH
OTHERS,
DETERMINING
THE
PURPOSES
AND
MEANS
OF
THE
PROCESSING
OF
PERSONAL
DATA,
IT
IS
A
CONTROLLER
WITH
RESPECT
TO
THE
PROCESSING.
(8)
(a)
A
CONTROLLER
OR
PROCESSOR
THAT
DISCLOSES
PERSONAL
DATA
TO
ANOTHER
CONTROLLER
OR
PROCESSOR
IN
COMPLIANCE
WITH
THIS
PART
13
DOES
NOT
VIOLATE
THIS
PART
13
IF
THE
RECIPIENT
PROCESSES
THE
PERSONAL
DATA
IN
VIOLATION
OF
THIS
PART
13,
AND,
AT
THE
TIME
OF
DISCLOSING
THE
PERSONAL
DATA,
THE
DISCLOSING
CONTROLLER
OR
PROCESSOR
DID
NOT
HAVE
ACTUAL
KNOWLEDGE
THAT
THE
RECIPIENT
INTENDED
TO
COMMIT
A
VIOLATION.
(b)
A
CONTROLLER
OR
PROCESSOR
RECEIVING
PERSONAL
DATA
FROM
A
CONTROLLER
OR
PROCESSOR
IN
COMPLIANCE
WITH
THIS
PART
13
AS
SPECIFIED
IN
SUBSECTION
(8)(a)
OF
THIS
SECTION
DOES
NOT
VIOLATE
THIS
PART
13
IF
THE
CONTROLLER
OR
PROCESSOR
FROM
WHICH
IT
RECEIVES
THE
PERSONAL
DATA
FAILS
TO
COMPLY
WITH
APPLICABLE
OBLIGATIONS
UNDER
THIS
PART
13.
PAGE
17
-SENATE
BILL
21-190
6-1-1306.
Consumer
personal
data
rights
-
repeal.
(1)
CONSUMERS
MAY
EXERCISE
THE
FOLLOWING
RIGHTS
BY
SUBMITTING
A
REQUEST
USING
THE
METHODS
SPECIFIED
BY
THE
CONTROLLER
IN
THE
PRIVACY
NOTICE
REQUIRED
UNDER
SECTION
6-1-1308
(
1
)(a).
THE
METHOD
MUST
TAKE
INTO
ACCOUNT
THE
WAYS
IN
WHICH
CONSUMERS
NORMALLY
INTERACT
WITH
THE
CONTROLLER,
THE
NEED
FOR
SECURE
AND
RELIABLE
COMMUNICATION
RELATING
TO
THE
REQUEST,
AND
THE
ABILITY
OF
THE
CONTROLLER
TO
AUTHENTICATE
THE
IDENTITY
OF
THE
CONSUMER
MAKING
THE
REQUEST.
CONTROLLERS
SHALL
NOT
REQUIRE
A
CONSUMER
TO
CREATE
A
NEW
ACCOUNT
IN
ORDER
TO
EXERCISE
CONSUMER
RIGHTS
PURSUANT
TO
THIS
SECTION
BUT
MAY
REQUIRE
A
CONSUMER
TO
USE
AN
EXISTING
ACCOUNT.
A
CONSUMER
MAY
SUBMIT
A
REQUEST
AT
ANY
TIME
TO
A
CONTROLLER
SPECIFYING
WHICH
OF
THE
FOLLOWING
RIGHTS
THE
CONSUMER
WISHES
TO
EXERCISE:
(a)
Right
to
opt
out.
(I)
A
CONSUMER
HAS
THE
RIGHT
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
CONCERNING
THE
CONSUMER
FOR
PURPOSES
OF:
(A)
TARGETED
ADVERTISING;
(B)
THE
SALE
OF
PERSONAL
DATA;
OR
(C)
PROFILING
IN
FURTHERANCE
OF
DECISIONS
THAT
PRODUCE
LEGAL
OR
SIMILARLY
SIGNIFICANT
EFFECTS
CONCERNING
A
CONSUMER.
(II)
A
CONSUMER
MAY
AUTHORIZE
ANOTHER
PERSON,
ACTING
ON
THE
CONSUMER'S
BEHALF,
TO
OPT
OUT
OF
THE
PROCESSING
OF
THE
CONSUMER'S
PERSONAL
DATA
FOR
ONE
OR
MORE
OF
THE
PURPOSES
SPECIFIED
IN
SUBSECTION
(
1
)(a)(I)
OF
THIS
SECTION,
INCLUDING
THROUGH
A
TECHNOLOGY
INDICATING
THE
CONSUMER'S
INTENT
TO
OPT
OUT
SUCH
AS
A
WEB
LINK
INDICATING
A
PREFERENCE
OR
BROWSER
SETTING,
BROWSER
EXTENSION,
OR
GLOBAL
DEVICE
SETTING.
A
CONTROLLER
SHALL
COMPLY
WITH
AN
OPT
-OUT
REQUEST
RECEIVED
FROM
A
PERSON
AUTHORIZED
BY
THE
CONSUMER
TO
ACT
ON
THE
CONSUMER'S
BEHALF
IF
THE
CONTROLLER
IS
ABLE
TO
AUTHENTICATE,
WITH
COMMERCIALLY
REASONABLE
EFFORT,
THE
IDENTITY
OF
THE
CONSUMER
AND
THE
AUTHORIZED
AGENT'S
AUTHORITY
TO
ACT
ON
THE
CONSUMER'S
BEHALF.
(III)
A
CONTROLLER
THAT
PROCESSES
PERSONAL
DATA
FOR
PAGE
18
-SENATE
BILL
21-190
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
SHALL
PROVIDE
A
CLEAR
AND
CONSPICUOUS
METHOD
TO
EXERCISE
THE
RIGHT
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
CONCERNING
THE
CONSUMER
PURSUANT
TO
SUBSECTION
(1
)(a)(I)
OF
THIS
SECTION.
THE
CONTROLLER
SHALL
PROVIDE
THE
OPT
-OUT
METHOD
CLEARLY
AND
CONSPICUOUSLY
IN
ANY
PRIVACY
NOTICE
REQUIRED
TO
BE
PROVIDED
TO
CONSUMERS
UNDER
THIS
PART
13,
AND
IN
A
CLEAR,
CONSPICUOUS,
AND
READILY
ACCESSIBLE
LOCATION
OUTSIDE
THE
PRIVACY
NOTICE.
(IV)
(A)
A
CONTROLLER
THAT
PROCESSES
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
MAY
ALLOW
CONSUMERS
TO
EXERCISE
THE
RIGHT
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
CONCERNING
THE
CONSUMER
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
PURSUANT
TO
SUBSECTIONS
(1)(a)(I)(A)
AND
(1)(a)(I)(B)
OF
THIS
SECTION
BY
CONTROLLERS
THROUGH
A
USER
-SELECTED
UNIVERSAL
OPT
-OUT
MECHANISM
THAT
MEETS
THE
TECHNICAL
SPECIFICATIONS
ESTABLISHED
BY
THE
ATTORNEY
GENERAL
PURSUANT
TO
SECTION
6-1-1313.
THIS
SUBSECTION
(1)(a)(IV)(A)
IS
REPEALED,
EFFECTIVE
JULY
1,
2024.
(B)
EFFECTIVE
JULY
1,
2024,
A
CONTROLLER
THAT
PROCESSES
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
SHALL
ALLOW
CONSUMERS
TO
EXERCISE
THE
RIGHT
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
CONCERNING
THE
CONSUMER
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
PURSUANT
TO
SUBSECTIONS
(1)(a)(I)(A)
AND
(1)(a)(I)(B)
OF
THIS
SECTION
BY
CONTROLLERS
THROUGH
A
USER
-SELECTED
UNIVERSAL
OPT
-OUT
MECHANISM
THAT
MEETS
THE
TECHNICAL
SPECIFICATIONS
ESTABLISHED
BY
THE
ATTORNEY
GENERAL
PURSUANT
TO
SECTION
6-1-1313.
(C)
NOTWITHSTANDING
A
CONSUMER'S
DECISION
TO
EXERCISE
THE
RIGHT
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
THROUGH
A
UNIVERSAL
OPT
-OUT
MECHANISM
PURSUANT
TO
SUBSECTION
(1)(a)(IV)(B)
OF
THIS
SECTION,
A
CONTROLLER
MAY
ENABLE
THE
CONSUMER
TO
CONSENT,
THROUGH
A
WEB
PAGE,
APPLICATION,
OR
A
SIMILAR
METHOD,
TO
THE
PROCESSING
OF
THE
CONSUMER'S
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA,
AND
THE
CONSENT
TAKES
PRECEDENCE
OVER
ANY
CHOICE
REFLECTED
THROUGH
THE
UNIVERSAL
OPT
-OUT
MECHANISM.
BEFORE
OBTAINING
A
CONSUMER'S
CONSENT
TO
PROCESS
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
PAGE
19
-SENATE
BILL
21-190
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
PURSUANT
TO
THIS
SUBSECTION
(1)(a)(IV)(C),
A
CONTROLLER
SHALL
PROVIDE
THE
CONSUMER
WITH
A
CLEAR
AND
CONSPICUOUS
NOTICE
INFORMING
THE
CONSUMER
ABOUT
THE
CHOICES
AVAILABLE
UNDER
THIS
SECTION,
DESCRIBING
THE
CATEGORIES
OF
PERSONAL
DATA
TO
BE
PROCESSED
AND
THE
PURPOSES
FOR
WHICH
THEY
WILL
BE
PROCESSED,
AND
EXPLAINING
HOW
AND
WHERE
THE
CONSUMER
MAY
WITHDRAW
CONSENT.
THE
WEB
PAGE,
APPLICATION,
OR
OTHER
MEANS
BY
WHICH
A
CONTROLLER
OBTAINS
A
CONSUMER'S
CONSENT
TO
PROCESS
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
MUST
ALSO
ALLOW
THE
CONSUMER
TO
REVOKE
THE
CONSENT
AS
EASILY
AS
IT
IS
AFFIRMATIVELY
PROVIDED.
(b)
Right
of
access.
A
CONSUMER
HAS
THE
RIGHT
TO
CONFIRM
WHETHER
A
CONTROLLER
IS
PROCESSING
PERSONAL
DATA
CONCERNING
THE
CONSUMER
AND
TO
ACCESS
THE
CONSUMER'S
PERSONAL
DATA.
(c)
Right
to
correction.
A
CONSUMER
HAS
THE
RIGHT
TO
CORRECT
INACCURACIES
IN
THE
CONSUMER'S
PERSONAL
DATA,
TAKING
INTO
ACCOUNT
THE
NATURE
OF
THE
PERSONAL
DATA
AND
THE
PURPOSES
OF
THE
PROCESSING
OF
THE
CONSUMER'S
PERSONAL
DATA.
(d)
Right
to
deletion.
A
CONSUMER
HAS
THE
RIGHT
TO
DELETE
PERSONAL
DATA
CONCERNING
THE
CONSUMER.
(e)
Right
to
data
portability.
WHEN
EXERCISING
THE
RIGHT
TO
ACCESS
PERSONAL
DATA
PURSUANT
TO
SUBSECTION
(1)(b)
OF
THIS
SECTION,
A
CONSUMER
HAS
THE
RIGHT
TO
OBTAIN
THE
PERSONAL
DATA
IN
A
PORTABLE
AND,
TO
THE
EXTENT
TECHNICALLY
FEASIBLE,
READILY
USABLE
FORMAT
THAT
ALLOWS
THE
CONSUMER
TO
TRANSMIT
THE
DATA
TO
ANOTHER
ENTITY
WITHOUT
HINDRANCE.
A
CONSUMER
MAY
EXERCISE
THIS
RIGHT
NO
MORE
THAN
TWO
TIMES
PER
CALENDAR
YEAR.
NOTHING
IN
THIS
SUBSECTION
(1)(e)
REQUIRES
A
CONTROLLER
TO
PROVIDE
THE
DATA
TO
THE
CONSUMER
IN
A
MANNER
THAT
WOULD
DISCLOSE
THE
CONTROLLER'S
TRADE
SECRETS.
(2)
Responding
to
consumer
requests.
(a)
A
CONTROLLER
SHALL
INFORM
A
CONSUMER
OF
ANY
ACTION
TAKEN
ON
A
REQUEST
UNDER
SUBSECTION
(1)
OF
THIS
SECTION
WITHOUT
UNDUE
DELAY
AND,
IN
ANY
EVENT,
WITHIN
FORTY-FIVE
DAYS
AFTER
RECEIPT
OF
THE
REQUEST.
THE
CONTROLLER
MAY
EXTEND
THE
FORTY
-FIVE-DAY
PERIOD
BY
FORTY-FIVE
ADDITIONAL
DAYS
WHERE
REASONABLY
NECESSARY,
TAKING
INTO
ACCOUNT
PAGE
20
-SENATE
BILL
21-190
THE
COMPLEXITY
AND
NUMBER
OF
THE
REQUESTS.
THE
CONTROLLER
SHALL
INFORM
THE
CONSUMER
OF
AN
EXTENSION
WITHIN
FORTY-FIVE
DAYS
AFTER
RECEIPT
OF
THE
REQUEST,
TOGETHER
WITH
THE
REASONS
FOR
THE
DELAY.
(b)
IF
A
CONTROLLER
DOES
NOT
TAKE
ACTION
ON
THE
REQUEST
OF
A
CONSUMER,
THE
CONTROLLER
SHALL
INFORM
THE
CONSUMER,
WITHOUT
UNDUE
DELAY
AND,
AT
THE
LATEST,
WITHIN
FORTY-FIVE
DAYS
AFTER
RECEIPT
OF
THE
REQUEST,
OF
THE
REASONS
FOR
NOT
TAKING
ACTION
AND
INSTRUCTIONS
FOR
HOW
TO
APPEAL
THE
DECISION
WITH
THE
CONTROLLER
AS
DESCRIBED
IN
SUBSECTION
(3)
OF
THIS
SECTION.
(C)
UPON
REQUEST,
A
CONTROLLER
SHALL
PROVIDE
TO
THE
CONSUMER
THE
INFORMATION
SPECIFIED
IN
THIS
SECTION
FREE
OF
CHARGE;
EXCEPT
THAT,
FOR
A
SECOND
OR
SUBSEQUENT
REQUEST
WITHIN
A
TWELVE-MONTH
PERIOD,
THE
CONTROLLER
MAY
CHARGE
AN
AMOUNT
CALCULATED
IN
THE
MANNER
SPECIFIED
IN
SECTION
24-72-205
(5)(a).
(d)
A
CONTROLLER
IS
NOT
REQUIRED
TO
COMPLY
WITH
A
REQUEST
TO
EXERCISE
ANY
OF
THE
RIGHTS
UNDER
SUBSECTION
(1)
OF
THIS
SECTION
IF
THE
CONTROLLER
IS
UNABLE
TO
AUTHENTICATE
THE
REQUEST
USING
COMMERCIALLY
REASONABLE
EFFORTS,
IN
WHICH
CASE
THE
CONTROLLER
MAY
REQUEST
THE
PROVISION
OF
ADDITIONAL
INFORMATION
REASONABLY
NECESSARY
TO
AUTHENTICATE
THE
REQUEST.
(3)
(a)
A
CONTROLLER
SHALL
ESTABLISH
AN
INTERNAL
PROCESS
WHEREBY
CONSUMERS
MAY
APPEAL
A
REFUSAL
TO
TAKE
ACTION
ON
A
REQUEST
TO
EXERCISE
ANY
OF
THE
RIGHTS
UNDER
SUBSECTION
(1)
OF
THIS
SECTION
WITHIN
A
REASONABLE
PERIOD
AFTER
THE
CONSUMER'S
RECEIPT
OF
THE
NOTICE
SENT
BY
THE
CONTROLLER
UNDER
SUBSECTION
(2)(b)
OF
THIS
SECTION.
THE
APPEAL
PROCESS
MUST
BE
CONSPICUOUSLY
AVAILABLE
AND
AS
EASY
TO
USE
AS
THE
PROCESS
FOR
SUBMITTING
A
REQUEST
UNDER
THIS
SECTION.
(b)
WITHIN
FORTY-FIVE
DAYS
AFTER
RECEIPT
OF
AN
APPEAL,
A
CONTROLLER
SHALL
INFORM
THE
CONSUMER
OF
ANY
ACTION
TAKEN
OR
NOT
TAKEN
IN
RESPONSE
TO
THE
APPEAL,
ALONG
WITH
A
WRITTEN
EXPLANATION
OF
THE
REASONS
IN
SUPPORT
OF
THE
RESPONSE.
THE
CONTROLLER
MAY
EXTEND
THE
FORTY
-FIVE-DAY
PERIOD
BY
SIXTY
ADDITIONAL
DAYS
WHERE
REASONABLY
NECESSARY,
TAKING
INTO
ACCOUNT
THE
COMPLEXITY
AND
NUMBER
OF
REQUESTS
SERVING
AS
THE
BASIS
FOR
THE
APPEAL.
THE
PAGE
21
-SENATE
BILL
21-190
CONTROLLER
SHALL
INFORM
THE
CONSUMER
OF
AN
EXTENSION
WITHIN
FORTY-FIVE
DAYS
AFTER
RECEIPT
OF
THE
APPEAL,
TOGETHER
WITH
THE
REASONS
FOR
THE
DELAY.
(c)
THE
CONTROLLER
SHALL
INFORM
THE
CONSUMER
OF
THE
CONSUMER'S
ABILITY
TO
CONTACT
THE
ATTORNEY
GENERAL
IF
THE
CONSUMER
HAS
CONCERNS
ABOUT
THE
RESULT
OF
THE
APPEAL.
6-1-1307.
Processing
de
-identified
data.
(1)
THIS
PART
13
DOES
NOT
REQUIRE
A
CONTROLLER
OR
PROCESSOR
TO
DO
ANY
OF
THE
FOLLOWING
SOLELY
FOR
PURPOSES
OF
COMPLYING
WITH
THIS
PART
13:
(a)
REIDENTIFY
DE
-IDENTIFIED
DATA;
(b)
COMPLY
WITH
AN
AUTHENTICATED
CONSUMER
REQUEST
TO
ACCESS,
CORRECT,
DELETE,
OR
PROVIDE
PERSONAL
DATA
IN
A
PORTABLE
FORMAT
PURSUANT
TO
SECTION
6-1-1306
(1),
IF
ALL
OF
THE
FOLLOWING
ARE
TRUE:
(I)
(A)
THE
CONTROLLER
IS
NOT
REASONABLY
CAPABLE
OF
ASSOCIATING
THE
REQUEST
WITH
THE
PERSONAL
DATA;
OR
(B)
IT
WOULD
BE
UNREASONABLY
BURDENSOME
FOR
THE
CONTROLLER
TO
ASSOCIATE
THE
REQUEST
WITH
THE
PERSONAL
DATA;
(II)
THE
CONTROLLER
DOES
NOT
USE
THE
PERSONAL
DATA
TO
RECOGNIZE
OR
RESPOND
TO
THE
SPECIFIC
CONSUMER
WHO
IS
THE
SUBJECT
OF
THE
PERSONAL
DATA
OR
ASSOCIATE
THE
PERSONAL
DATA
WITH
OTHER
PERSONAL
DATA
ABOUT
THE
SAME
SPECIFIC
CONSUMER;
AND
(III)
THE
CONTROLLER
DOES
NOT
SELL
THE
PERSONAL
DATA
TO
ANY
THIRD
PARTY
OR
OTHERWISE
VOLUNTARILY
DISCLOSE
THE
PERSONAL
DATA
TO
ANY
THIRD
PARTY,
EXCEPT
AS
OTHERWISE
AUTHORIZED
BY
THE
CONSUMER;
OR
(c)
MAINTAIN
DATA
IN
IDENTIFIABLE
FORM
OR
COLLECT,
OBTAIN,
RETAIN,
OR
ACCESS
ANY
DATA
OR
TECHNOLOGY
IN
ORDER
TO
ENABLE
THE
CONTROLLER
TO
ASSOCIATE
AN
AUTHENTICATED
CONSUMER
REQUEST
WITH
PERSONAL
DATA.
PAGE
22
-SENATE
BILL
21-190
(2)
A
CONTROLLER
THAT
USES
DE
-IDENTIFIED
DATA
SHALL
EXERCISE
REASONABLE
OVERSIGHT
TO
MONITOR
COMPLIANCE
WITH
ANY
CONTRACTUAL
COMMITMENTS
TO
WHICH
THE
DE
-IDENTIFIED
DATA
ARE
SUBJECT
AND
SHALL
TAKE
APPROPRIATE
STEPS
TO
ADDRESS
ANY
BREACHES
OF
CONTRACTUAL
COMMITMENTS.
(3)
THE
RIGHTS
CONTAINED
IN
SECTION
6-1-1306
(1)(b)
TO
(1)(e)
DO
NOT
APPLY
TO
PSEUDONYMOUS
DATA
IF
THE
CONTROLLER
CAN
DEMONSTRATE
THAT
THE
INFORMATION
NECESSARY
TO
IDENTIFY
THE
CONSUMER
IS
KEPT
SEPARATELY
AND
IS
SUBJECT
TO
EFFECTIVE
TECHNICAL
AND
ORGANIZATIONAL
CONTROLS
THAT
PREVENT
THE
CONTROLLER
FROM
ACCESSING
THE
INFORMATION.
6-1-1308.
Duties
of
controllers.
(1)
Duty
of
transparency.
(a)
A
CONTROLLER
SHALL
PROVIDE
CONSUMERS
WITH
A
REASONABLY
ACCESSIBLE,
CLEAR,
AND
MEANINGFUL
PRIVACY
NOTICE
THAT
INCLUDES:
(I)
THE
CATEGORIES
OF
PERSONAL
DATA
COLLECTED
OR
PROCESSED
BY
THE
CONTROLLER
OR
A
PROCESSOR;
(II)
THE
PURPOSES
FOR
WHICH
THE
CATEGORIES
OF
PERSONAL
DATA
ARE
PROCESSED;
(III)
How
AND
WHERE
CONSUMERS
MAY
EXERCISE
THE
RIGHTS
PURSUANT
TO
SECTION
6-1-1306,
INCLUDING
THE
CONTROLLER'S
CONTACT
INFORMATION
AND
HOW
A
CONSUMER
MAY
APPEAL
A
CONTROLLER'S
ACTION
WITH
REGARD
TO
THE
CONSUMER'S
REQUEST;
(IV)
THE
CATEGORIES
OF
PERSONAL
DATA
THAT
THE
CONTROLLER
SHARES
WITH
THIRD
PARTIES,
IF
ANY;
AND
(V)
THE
CATEGORIES
OF
THIRD
PARTIES,
IF
ANY,
WITH
WHOM
THE
CONTROLLER
SHARES
PERSONAL
DATA.
(b)
IF
A
CONTROLLER
SELLS
PERSONAL
DATA
TO
THIRD
PARTIES
OR
PROCESSES
PERSONAL
DATA
FOR
TARGETED
ADVERTISING,
THE
CONTROLLER
SHALL
CLEARLY
AND
CONSPICUOUSLY
DISCLOSE
THE
SALE
OR
PROCESSING,
AS
WELL
AS
THE
MANNER
IN
WHICH
A
CONSUMER
MAY
EXERCISE
THE
RIGHT
TO
OPT
OUT
OF
THE
SALE
OR
PROCESSING.
PAGE
23
-SENATE
BILL
21-190
(c)
A
CONTROLLER
SHALL
NOT:
(I)
REQUIRE
A
CONSUMER
TO
CREATE
A
NEW
ACCOUNT
IN
ORDER
TO
EXERCISE
A
RIGHT;
OR
(II)
BASED
SOLELY
ON
THE
EXERCISE
OF
A
RIGHT
AND
UNRELATED
TO
FEASIBILITY
OR
THE
VALUE
OF
A
SERVICE,
INCREASE
THE
COST
OF,
OR
DECREASE
THE
AVAILABILITY
OF,
THE
PRODUCT
OR
SERVICE.
(d)
NOTHING
IN
THIS
PART
13
SHALL
BE
CONSTRUED
TO
REQUIRE
A
CONTROLLER
TO
PROVIDE
A
PRODUCT
OR
SERVICE
THAT
REQUIRES
THE
PERSONAL
DATA
OF
A
CONSUMER
THAT
THE
CONTROLLER
DOES
NOT
COLLECT
OR
MAINTAIN
OR
TO
PROHIBIT
A
CONTROLLER
FROM
OFFERING
A
DIFFERENT
PRICE,
RATE,
LEVEL,
QUALITY,
OR
SELECTION
OF
GOODS
OR
SERVICES
TO
A
CONSUMER,
INCLUDING
OFFERING
GOODS
OR
SERVICES
FOR
NO
FEE,
IF
THE
OFFER
IS
RELATED
TO
A
CONSUMER'S
VOLUNTARY
PARTICIPATION
IN
A
BONA
FIDE
LOYALTY,
REWARDS,
PREMIUM
FEATURES,
DISCOUNT,
OR
CLUB
CARD
PROGRAM.
(2)
Duty
of
purpose
specification.
A
CONTROLLER
SHALL
SPECIFY
THE
EXPRESS
PURPOSES
FOR
WHICH
PERSONAL
DATA
ARE
COLLECTED
AND
PROCESSED.
(3)
Duty
of
data
minimization.
A
CONTROLLER'S
COLLECTION
OF
PERSONAL
DATA
MUST
BE
ADEQUATE,
RELEVANT,
AND
LIMITED
TO
WHAT
IS
REASONABLY
NECESSARY
IN
RELATION
TO
THE
SPECIFIED
PURPOSES
FOR
WHICH
THE
DATA
ARE
PROCESSED.
(4)
Duty
to
avoid
secondary
use.
A
CONTROLLER
SHALL NOT
PROCESS
PERSONAL
DATA
FOR
PURPOSES
THAT
ARE
NOT
REASONABLY
NECESSARY
TO
OR
COMPATIBLE
WITH
THE
SPECIFIED
PURPOSES
FOR
WHICH
THE
PERSONAL
DATA
ARE
PROCESSED,
UNLESS
THE
CONTROLLER
FIRST
OBTAINS
THE
CONSUMER'S
CONSENT.
(5)
Duty
of
care.
A
CONTROLLER
SHALL
TAKE
REASONABLE
MEASURES
TO
SECURE
PERSONAL
DATA
DURING
BOTH
STORAGE
AND
USE
FROM
UNAUTHORIZED
ACQUISITION.
THE
DATA
SECURITY
PRACTICES
MUST
BE
APPROPRIATE
TO
THE
VOLUME,
SCOPE,
AND
NATURE
OF
THE
PERSONAL
DATA
PROCESSED
AND
THE
NATURE
OF
THE
BUSINESS.
PAGE
24
-SENATE
BILL
21-190
(6)
Duty
to
avoid
unlawful
discrimination.
A
CONTROLLER
SHALL
NOT
PROCESS
PERSONAL
DATA
IN
VIOLATION
OF
STATE
OR
FEDERAL
LAWS
THAT
PROHIBIT
UNLAWFUL
DISCRIMINATION
AGAINST
CONSUMERS.
(7)
Duty
regarding
sensitive
data.
A
CONTROLLER
SHALL
NOT
PROCESS
A
CONSUMER'S
SENSITIVE
DATA
WITHOUT
FIRST
OBTAINING THE
CONSUMER'S
CONSENT
OR,
IN
THE
CASE
OF
THE
PROCESSING
OF
PERSONAL
DATA
CONCERNING
A
KNOWN
CHILD,
WITHOUT
FIRST
OBTAINING
CONSENT
FROM
THE
CHILD'S
PARENT
OR
LAWFUL
GUARDIAN.
6-1-1309.
Data
protection
assessments
-
attorney
general
access
and
evaluation
-
definition.
(1)
A
CONTROLLER
SHALL
NOT
CONDUCT
PROCESSING
THAT
PRESENTS
A
HEIGHTENED
RISK
OF
HARM
TO
A
CONSUMER
WITHOUT
CONDUCTING
AND
DOCUMENTING
A
DATA
PROTECTION
ASSESSMENT
OF
EACH
OF
ITS
PROCESSING
ACTIVITIES
THAT
INVOLVE
PERSONAL
DATA
ACQUIRED
ON
OR
AFTER
THE
EFFECTIVE
DATE
OF
THIS
SECTION
THAT
PRESENT
A
HEIGHTENED
RISK
OF
HARM
TO
A
CONSUMER.
(2)
FOR
PURPOSES
OF
THIS
SECTION,
"PROCESSING
THAT
PRESENTS
A
HEIGHTENED
RISK
OF
HARM
TO
A
CONSUMER"
INCLUDES
THE
FOLLOWING:
(a)
PROCESSING
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
FOR
PROFILING
IF
THE
PROFILING
PRESENTS
A
REASONABLY
FORESEEABLE
RISK
OF:
(I)
UNFAIR
OR
DECEPTIVE
TREATMENT
OF,
OR
UNLAWFUL
DISPARATE
IMPACT
ON,
CONSUMERS;
(II)
FINANCIAL
OR
PHYSICAL
INJURY
TO
CONSUMERS;
(III)
A
PHYSICAL
OR
OTHER
INTRUSION
UPON
THE
SOLITUDE
OR
SECLUSION,
OR
THE
PRIVATE
AFFAIRS
OR
CONCERNS,
OF
CONSUMERS
IF
THE
INTRUSION
WOULD
BE
OFFENSIVE
TO
A
REASONABLE
PERSON;
OR
(IV)
OTHER
SUBSTANTIAL
INJURY
TO
CONSUMERS;
(b)
SELLING
PERSONAL
DATA;
AND
(c)
PROCESSING
SENSITIVE
DATA.
PAGE
25
-SENATE
BILL
21-190
(3)
DATA
PROTECTION
ASSESSMENTS
MUST
IDENTIFY
AND
WEIGH
THE
BENEFITS
THAT
MAY
FLOW,
DIRECTLY
AND
INDIRECTLY,
FROM
THE
PROCESSING
TO
THE
CONTROLLER,
THE
CONSUMER,
OTHER
STAKEHOLDERS,
AND
THE
PUBLIC
AGAINST
THE
POTENTIAL
RISKS
TO
THE
RIGHTS
OF
THE
CONSUMER
ASSOCIATED
WITH
THE
PROCESSING,
AS
MITIGATED
BY
SAFEGUARDS
THAT
THE
CONTROLLER
CAN
EMPLOY
TO
REDUCE
THE
RISKS.
THE
CONTROLLER
SHALL
FACTOR
INTO
THIS
ASSESSMENT
THE
USE
OF
DE
-IDENTIFIED
DATA
AND
THE
REASONABLE
EXPECTATIONS
OF
CONSUMERS,
AS
WELL
AS
THE
CONTEXT
OF
THE
PROCESSING
AND
THE
RELATIONSHIP
BETWEEN
THE
CONTROLLER
AND
THE
CONSUMER
WHOSE
PERSONAL
DATA
WILL
BE
PROCESSED.
(4)
A
CONTROLLER
SHALL
MAKE
THE
DATA
PROTECTION
ASSESSMENT
AVAILABLE
TO
THE
ATTORNEY
GENERAL
UPON
REQUEST.
THE
ATTORNEY
GENERAL
MAY
EVALUATE
THE
DATA
PROTECTION
ASSESSMENT
FOR
COMPLIANCE
WITH
THE
DUTIES
CONTAINED
IN
SECTION
6-1-1308
AND
WITH
OTHER
LAWS,
INCLUDING
THIS
ARTICLE
1.
DATA
PROTECTION
ASSESSMENTS
ARE
CONFIDENTIAL
AND
EXEMPT
FROM
PUBLIC
INSPECTION
AND
COPYING
UNDER
THE
"COLORADO
OPEN
RECORDS
ACT",
PART
2
OF
ARTICLE
72
OF
TITLE
24.
THE
DISCLOSURE
OF
A
DATA
PROTECTION
ASSESSMENT
PURSUANT
TO
A
REQUEST
FROM
THE
ATTORNEY GENERAL
UNDER
THIS
SUBSECTION
(4)
DOES
NOT
CONSTITUTE
A
WAIVER
OF
ANY
ATTORNEY
-CLIENT
PRIVILEGE
OR
WORK
-PRODUCT
PROTECTION
THAT
MIGHT
OTHERWISE
EXIST
WITH
RESPECT
TO
THE
ASSESSMENT
AND
ANY
INFORMATION
CONTAINED
IN
THE
ASSESSMENT.
(5)
A
SINGLE
DATA
PROTECTION
ASSESSMENT
MAY
ADDRESS
A
COMPARABLE
SET
OF
PROCESSING
OPERATIONS
THAT
INCLUDE
SIMILAR
ACTIVITIES.
(6)
DATA
PROTECTION
ASSESSMENT
REQUIREMENTS
APPLY
TO
PROCESSING
ACTIVITIES
CREATED
OR
GENERATED
AFTER
JULY
1,
2023,
AND
ARE
NOT
RETROACTIVE.
6-1-1310.
Liability.
(1)
NOTWITHSTANDING
ANY
PROVISION
IN
PART
1
OF
THIS
ARTICLE
1,
THIS
PART
13
DOES
NOT
AUTHORIZE
A
PRIVATE
RIGHT
OF
ACTION
FOR
A
VIOLATION
OF
THIS
PART
13
OR
ANY
OTHER
PROVISION
OF
LAW.
THIS
SUBSECTION
(
1
)
NEITHER
RELIEVES
ANY
PARTY
FROM
ANY
DUTIES
OR
OBLIGATIONS
IMPOSED,
NOR
ALTERS
ANY
INDEPENDENT
RIGHTS
THAT
CONSUMERS
HAVE,
UNDER
OTHER
LAWS,
INCLUDING
THIS
ARTICLE
1,
THE
PAGE
26
-SENATE
BILL
21-190
STATE
CONSTITUTION,
OR
THE
UNITED
STATES
CONSTITUTION.
(2)
WHERE
MORE
THAN
ONE
CONTROLLER
OR
PROCESSOR,
OR
BOTH
A
CONTROLLER
AND
A
PROCESSOR,
INVOLVED
IN
THE
SAME
PROCESSING
VIOLATES
THIS
PART
13,
THE
LIABILITY
SHALL
BE
ALLOCATED
AMONG
THE
PARTIES
ACCORDING
TO
PRINCIPLES
OF
COMPARATIVE
FAULT.
6-1-1311.
Enforcement
-
penalties
-
repeal.
(
1)
(a)
NOTWITHSTANDING
ANY
OTHER
PROVISION
OF
THIS
ARTICLE
1,
THE
ATTORNEY GENERAL
AND
DISTRICT
ATTORNEYS
HAVE
EXCLUSIVE
AUTHORITY
TO
ENFORCE
THIS
PART
13
BY
BRINGING
AN
ACTION
IN
THE
NAME
OF
THE
STATE
OR
AS
PARENS
PATRIAE
ON
BEHALF
OF
PERSONS
RESIDING
IN
THE
STATE
TO
ENFORCE
THIS
PART
13
AS
PROVIDED
IN
THIS
ARTICLE
1,
INCLUDING
SEEKING
AN
INJUNCTION
TO
ENJOIN
A
VIOLATION
OF
THIS
PART
13.
(b)
NOTWITHSTANDING
ANY
OTHER
PROVISION
OF
THIS
ARTICLE
1,
NOTHING
IN
THIS
PART
13
SHALL
BE
CONSTRUED
AS
PROVIDING
THE
BASIS
FOR,
OR
BEING
SUBJECT
TO,
A
PRIVATE
RIGHT
OF
ACTION
FOR
VIOLATIONS
OF
THIS
PART
13
OR
ANY
OTHER
LAW.
(C)
FOR
PURPOSES
ONLY
OF
ENFORCEMENT
OF
THIS
PART
13
BY
THE
ATTORNEY
GENERAL
OR
A
DISTRICT
ATTORNEY,
A
VIOLATION
OF
THIS
PART
13
IS
A
DECEPTIVE
TRADE
PRACTICE.
(d)
PRIOR
TO
ANY
ENFORCEMENT
ACTION
PURSUANT
TO
SUBSECTION
(1)(a)
OF
THIS
SECTION,
THE
ATTORNEY
GENERAL
OR
DISTRICT
ATTORNEY
MUST
ISSUE
A
NOTICE
OF
VIOLATION
TO
THE
CONTROLLER
IF
A
CURE
IS
DEEMED
POSSIBLE.
IF
THE
CONTROLLER
FAILS
TO
CURE
THE
VIOLATION
WITHIN
SIXTY
DAYS
AFTER
RECEIPT
OF
THE
NOTICE
OF
VIOLATION,
AN
ACTION
MAY
BE
BROUGHT
PURSUANT
TO
THIS
SECTION.
THIS
SUBSECTION
(1)(d)
IS
REPEALED,
EFFECTIVE
JANUARY
1,
2025.
(2)
THE
STATE
TREASURER
SHALL
CREDIT
ALL
RECEIPTS
FROM
THE
IMPOSITION
OF
CIVIL
PENALTIES
UNDER
THIS
PART
13
PURSUANT
TO
SECTION
24-31-108.
6-1-1312.
Preemption
-
local
governments.
THIS
PART
13
SUPERSEDES
AND
PREEMPTS
LAWS,
ORDINANCES,
RESOLUTIONS,
REGULATIONS,
OR
THE
EQUIVALENT
ADOPTED
BY
ANY
STATUTORY
OR
HOME
PAGE
27
-SENATE
BILL
21-190
RULE
MUNICIPALITY,
COUNTY,
OR
CITY
AND
COUNTY
REGARDING
THE
PROCESSING
OF
PERSONAL
DATA
BY
CONTROLLERS
OR
PROCESSORS.
6-1-1313.
Rules
-
opt
-out
mechanism.
(1)
THE
ATTORNEY
GENERAL
MAY
PROMULGATE
RULES
FOR
THE
PURPOSE
OF
CARRYING
OUT
THIS
PART
13.
(2)
BY
JULY
1,
2023,
THE
ATTORNEY
GENERAL
SHALL
ADOPT
RULES
THAT
DETAIL
THE
TECHNICAL
SPECIFICATIONS
FOR
ONE
OR
MORE
UNIVERSAL
OPT
-OUT
MECHANISMS
THAT
CLEARLY
COMMUNICATE
A
CONSUMER'S
AFFIRMATIVE,
FREELY
GIVEN,
AND
UNAMBIGUOUS
CHOICE
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
PURSUANT
TO
SECTION
6-1-1306
(1)(a)(I)(A)
OR
(1)(a)(I)(B).
THE
ATTORNEY
GENERAL
MAY
UPDATE
THE
RULES
THAT
DETAIL
THE
TECHNICAL
SPECIFICATIONS
FOR
THE
MECHANISMS
FROM
TIME
TO
TIME
TO
REFLECT
THE
MEANS
BY
WHICH
CONSUMERS
INTERACT
WITH
CONTROLLERS.
THE
RULES
MUST:
(a)
NOT
PERMIT
THE
MANUFACTURER
OF
A
PLATFORM,
BROWSER,
DEVICE,
OR
ANY
OTHER PRODUCT
OFFERING
A
UNIVERSAL
OPT
-OUT
MECHANISM
TO
UNFAIRLY
DISADVANTAGE
ANOTHER
CONTROLLER;
(b)
REQUIRE
CONTROLLERS
TO
INFORM
CONSUMERS
ABOUT
THE
OPT
-OUT
CHOICES
AVAILABLE
UNDER
SECTION
6-1-1306
(1)(a)(I);
(c)
NOT
ADOPT
A
MECHANISM
THAT
IS
A
DEFAULT
SETTING,
BUT
RATHER
CLEARLY
REPRESENTS
THE
CONSUMER'S
AFFIRMATIVE,
FREELY
GIVEN,
AND
UNAMBIGUOUS
CHOICE
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
PURSUANT
TO
SECTION
6-1-1306
(1)(a)(I)(A)
OR
(1)(a)(I)(B);
(d)
ADOPT
A
MECHANISM
THAT
IS
CONSUMER
-FRIENDLY,
CLEARLY
DESCRIBED,
AND
EASY
TO
USE
BY
THE
AVERAGE
CONSUMER;
(e)
ADOPT
A
MECHANISM
THAT
IS
AS
CONSISTENT
AS
POSSIBLE
WITH
ANY
OTHER
SIMILAR
MECHANISM
REQUIRED
BY
LAW
OR
REGULATION
IN
THE
UNITED
STATES;
AND
(f)
PERMIT
THE
CONTROLLER
TO
ACCURATELY
AUTHENTICATE
THE
CONSUMER
AS
A
RESIDENT
OF
THIS
STATE
AND
DETERMINE
THAT
THE
PAGE
28
-SENATE
BILL
21-190
MECHANISM
REPRESENTS
A
LEGITIMATE
REQUEST
TO
OPT
OUT
OF
THE
PROCESSING
OF
PERSONAL
DATA
FOR
PURPOSES
OF
TARGETED
ADVERTISING
OR
THE
SALE
OF
PERSONAL
DATA
PURSUANT
TO
SECTION
6-1-1306
(1)(a)(I)(A)
OR
(1)(a)(I)(B).
(3)
BY
JANUARY
1,
2025,
THE
ATTORNEY
GENERAL
MAY
ADOPT
RULES
THAT
GOVERN
THE
PROCESS
OF
ISSUING
OPINION
LETTERS
AND
INTERPRETIVE
GUIDANCE
TO
DEVELOP
AN
OPERATIONAL
FRAMEWORK
FOR
BUSINESS
THAT
INCLUDES
A
GOOD
FAITH
RELIANCE
DEFENSE
OF
AN
ACTION
THAT
MAY
OTHERWISE
CONSTITUTE
A
VIOLATION
OF
THIS
PART
13.
THE
RULES
MUST
BECOME
EFFECTIVE
BY
JULY
1,
2025.
SECTION
2.
In
Colorado
Revised
Statutes,
amend
6-1-104
as
follows:
6-1-104.
Cooperative
reporting.
The
district
attorneys
may
cooperate
in
a
statewide
reporting
system
by
receiving,
on
forms
provided
by
the
attorney
general,
complaints
from
persons
concerning
deceptive
trade
practices
listed
in
section
6-1-105
and
OR
part
7
OR
13
of
this
article
ARTICLE
1
and
transmitting
such
THE
complaints
to
the
attorney
general.
SECTION
3.
In
Colorado
Revised
Statutes,
6-1-105,
add
(1)(nnn)
as
follows:
6-1-105.
Unfair
or
deceptive
trade
practices.
(1)
A
person
engages
in
a
deceptive
trade
practice
when,
in
the
course
of
the
person's
business,
vocation,
or
occupation,
the
person:
(nnn)
VIOLATES
ANY
PROVISION
OF
PART
13
OF
THIS
ARTICLE
1
AS
SPECIFIED
IN
SECTION
6-1-1311
(1)(c).
SECTION
4.
In
Colorado
Revised
Statutes,
6-1-107,
amend
(1)
introductory
portion
as
follows:
6-1-107.
Powers
of
attorney
general
and
district
attorneys.
(1)
When
the
attorney
general
or
a
district
attorney
has
reasonable
cause
to
believe
that
any
person,
whether
in
this
state
or
elsewhere,
has
engaged in
or
is
engaging
in
any
deceptive
trade
practice
listed
in
section
6-1-105
or
part
7
OR
13
of
this
article
ARTICLE
1,
the
attorney
general
or
district
attorney
may:
PAGE
29
-SENATE
BILL
21-190
SECTION
5.
In
Colorado
Revised
Statutes,
6-1-108,
amend
(1)
as
follows:
6-1-108.
Subpoenas
-
hearings
-
rules.
(1)
When
the
attorney
general
or
a
district
attorney
has
reasonable
cause
to
believe
that
a
person,
whether
in
this
state
or
elsewhere,
has
engaged
in
or
is
engaging
in
a
deceptive
trade
practice
listed
in
section
6-1-105
or
part
7
OR
13
of
this
article
1,
the
attorney
general
or
a
district
attorney,
in
addition
to
other
powers
conferred
upon
him
-or
her
THE
ATTORNEY
GENERAL
OR
A
DISTRICT
ATTORNEY
by
this
article
1,
may
issue
subpoenas
to
require
the
attendance
of
witnesses
or
the
production
of
documents,
administer
oaths,
conduct
hearings
in
aid
of
any
investigation
or
inquiry,
and
prescribe
such
forms
and
promulgate
such
rules
as
may
be
necessary
to
administer
the
provisions
of
this
article
1.
SECTION
6.
In
Colorado
Revised
Statutes,
6-1-110,
amend
(1)
and
(2)
as
follows:
6-1-110.
Restraining
orders
-
injunctions
-
assurances
of
discontinuance.
(1)
Whenever
the
attorney
general
or
a
district
attorney
has
cause
to
believe
that
a
person
has
engaged
in
or
is
engaging
in
any
deceptive
trade
practice
listed
in
section
6-1-105
or
part
7
OR
13
of
this
articic
ARTICLE
1,
the
attorney
general
or
district
attorney
may
apply
for
and
obtain,
in
an
action
in
the
appropriate
district
court
of
this
state,
a
temporary
restraining
order
or
injunction,
or
both,
pursuant
to
the
Colorado
rules
of
civil
procedure,
prohibiting
such
THE
person
from
continuing
such
THE
practices,
or
engaging
therein,
or
doing
any
act
in
furtherance
thereof.
The
court
may
make
such
orders
or
judgments
as
may
be
necessary
to
prevent
the
use
or
employment
by
such
THE
person
of
any
such
deceptive
trade
practice
or
which
THAT
may
be
necessary
to
completely
compensate
or
restore
to
the
original
position
of
any
person
injured
by
means
of
any
such
practice
or
to
prevent
any
unjust
enrichment
by
any
person
through
the
use
or
employment
of
any
deceptive
trade
practice.
(2)
Where
the
attorney
general
or
a
district
attorney
has
authority
to
institute
a
civil
action
or
other
proceeding
pursuant
to
the
provisions
of
this
article
ARTICLE
1,
the
attorney
general
or
district
attorney
may
accept,
in
lieu
thereof
or
as
a
part
thereof,
an
assurance
of
discontinuance
of
any
deceptive
trade
practice
listed
in
section
6-1-105
or
part
7
OR
13
of
this
article.
Stich
ARTICLE
1.
THE
assurance
may
include
a
stipulation
for
the
voluntary
PAGE
30
-SENATE
BILL
21-190
payment
by
the
alleged
violator
of
the
costs
of
investigation
and
any
action
or
proceeding
by
the
attorney
general
or
a
district
attorney
and
any
amount
necessary
to
restore
to
any
person
any
money
or
property
that
may
have
been
acquired
by
such
THE
alleged
violator
by
means
of
any
such
deceptive
trade
practice.
Any
such
assurance
of
discontinuance
accepted
by
the
attorney
general
or
a
district
attorney
and
any
such
stipulation
filed
with
the
court
as
a
part
of
any
such
action
or
proceeding
shall
bc
is
a
matter
of
public
record
unless
the
attorney
general
or
the
district
attorney
determines,
at
his
or
her
THE
discretion
OF
THE
ATTORNEY
GENERAL
OR
DISTRICT
ATTORNEY,
that
it
will
be
confidential
to
the
parties
to
the
action
or
proceeding
and
to
the
court
and
its
employees.
Upon
the
filing
of
a
civil
action
by
the
attorney
general
or
a
district
attorney
alleging
that
a
confidential
assurance
of
discontinuance
or
stipulation
accepted
pursuant
to
this
subsection
(2)
has
been
violated,
said
THE
assurance
of
discontinuance
or
stipulation
shall
thereupon
bc
deemed
BECOMES
a
public
record
and
open
to
inspection
by
any
person.
Proof
by
a
preponderance
of
the
evidence
of
a
violation
of
any
such
assurance
or
stipulation
shall
constitutc
CONSTITUTES
prima
facie
evidence
of
a
deceptive
trade
practice
for
the
purposes
of
any
civil
action
or
proceeding
brought
thereafter
by
the
attorney
general
or
a
district
attorney,
whether
a
new
action
or
a
subsequent
motion
or
petition
in
any
pending
action
or
proceeding.
SECTION
7.
Act
subject
to
petition
-
effective
date
-
applicability.
(1)
This
act
takes
effect
July
1,
2023;
except
that,
if
a
referendum
petition
is
filed
pursuant
to
section
1
(3)
of
article
V
of
the
state
constitution
against
this
act
or
an
item,
section,
or
part
of
this
act
within
the
ninety
-day
period
after
final
adjournment
of
the
general
assembly,
then
the
act,
item,
section,
or
part
will
not
take
effect
unless
approved
by
the
people
at
the
general
election
to
be
held
in
November
2022
and,
in
such
case,
will
take
effect
July
1,
2023,
or
on
the
date
of
the
official
declaration
of
the
vote
thereon
by
the
governor,
whichever
is
later.
PAGE
31
-SENATE
BILL
21-190
(2)
This
act
applies
to
conduct
occurring
on
or
after
the
applicable
effective
date
of
this
act.
141
.
Leroy
.
Garcia
PRESIDENT
OF
THE
SENATE
erAile'd.1
1
(gthoele.
Cindi
L.
Markwell
SECRETARY
OF
THE
SENATE
d
ift-05.4e
-
•
Alec
Garnett
SPEAKER
OF
THE
HOUSE
OF
REPRESENTATIVES
R
abiv
Jones
CHIEF
CLERK
OF
T
OUSE
OF
REPRESENTATIVES
APPROVED
,m,u
\
(Date
and
Time)
Jare
E
.P
lis
OR
OF
TH
ST
TE
OF
COLORADO
PAGE
32
-SENATE
BILL
21-190
