On July 1st, 2023, Colorado and Connecticut's data protection acts (Colorado Privacy Act and Connecticut Data Privacy Act, respectively) went into effect
Colorado
On July 7th, 2021, Colorado officially became the third state – after California and Virginia – to pass broad consumer privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. We have discussed CPA provisions in detail in this article.
“For businesses, the Colorado Privacy Act institutes a series of responsibilities. First, the CPA requires businesses to provide meaningful privacy notices to consumers and to specify the express purpose for which data is collected and processed. Moreover, the law imposes a data minimization requirement, specifying that businesses can only collect personal data that’s reasonably necessary in relation to a specified purpose. The law also requires that businesses use sound practices in storing personal data, avoid processing personal data in ways that would violate antidiscrimination laws, and obtain affirmative consent before processing sensitive data. Finally, the law requires businesses to conduct data protection assessments before conducting data processing activities that present a heightened risk of harm to consumers (which includes the use of personal data for targeted advertising, selling data, or processing sensitive data)„
Phil Weiser, Colorado Attorney General
CPA provides consumers who are residents of the state with several data subject rights, such as:
- Right to opt out of targeted advertisement
- Right to opt out of the sale of personal information
- Right to opt out of profiling when it facilitates decisions based on automated data processing and produces legal (or similarly significant) effects for the consumer
- Right to access the information processed about the consumer
- Right to correct personal information processed
- Right to delete personal information processed
- Right to data portability
More information on how to set up footer links for "Privacy Center" and "Do not sell or share my personal information" to facilitate compliance and provide your users with an accessible way to submit a request can be found in this article.
Consumers may exercise the above-mentioned rights by submitting a request using methods specified in the Controller's Privacy Policy. Controllers shall inform consumers that the request is received and process it within 45 days, with a possibility to extend this term to another 45 days when necessary, taking into account the complexity of the request(s).
Starting July 1st, unless there is a custom change, website visitors from Colorado will be able to submit a request through Clym's Privacy Widget.
We'd like to highlight that in addition to the Colorado Privacy Act, the Colorado Department of Law has published Privacy Act Rules with detailed requirements for opt-out mechanisms, including a requirement to process an opt-out request within 15 days and a specification that if a link is used as an opt-out method, it must be positioned in an obvious location of a website or application, such as the header or footer of a Controller’s internet homepage and it must take a consumer directly to the opt-out method, and the link text must provide a clear understanding of its purpose, for example, “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” or “Your Opt-Out Rights.” We recommend that you review the Privacy Act Rules as well as the CPA to ensure compliance.
Connecticut
On May 10th, 2022, an Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”) was signed into law, making Connecticut the fifth state to pass a comprehensive consumer privacy law. CTDPA shares many similarities with the Virginia Consumer Data Privacy Act (VCDPA), and if you wish to find out more, we have prepared a detailed overview here.
CTDPA provides Connecticut residents with the following rights:
- The right to access personal data that a controller has collected about them
- The right to correct inaccuracies in their personal data
- The right to delete their personal data, including personal data that a controller collected through third parties
- The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease
- The right to opt out of:
- the sale of their personal data;
- the processing of personal data for the purposes of targeted advertising; and
- profiling that may have a legal or other significant impact.
A controller must respond to a consumer’s requests no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days.
Both the Colorado Privacy Act and the Connecticut Data Privacy Act include provisions concerning the "universal opt-out mechanism", designed to afford consumers the ability to communicate a request to opt-out of the processing of their personal data across multiple websites/controllers at once. When a consumer sets their preferences in their browser or with a plug-in to “opt-out” of processing, either for specific purposes or all purposes, such signal should be treated the same way as an opt-out request.
If either the Colorado Privacy Act or the Connecticut Data Privacy Act does not apply to your business and you wish to change configurations of the widget for your website, you may manually change default configurations by following this guideline on How to change the regulation for a jurisdiction.