Colorado Rights Blog

SB21-190: Protect Personal Data Privacy

Bill Number: SB21-190
Year: 2021
ACLU Position: Active Amend
Sponsors: P. Lundeen/R. Rodriguez


The bill creates personal data privacy rights and:
• Applies to legal entities that conduct business or produce
products or services that are intentionally targeted to
Colorado residents and that either:
• Control or process personal data of more than
100,000 consumers per calendar year; or

• Derive revenue from the sale of personal data and
control or process the personal data of at least
25,000 consumers; and
• Does not apply to personal data governed by listed state
and federal laws, listed activities, and employment records.
Consumers have the right to opt out of the processing of their
personal data; access, correct, or delete the data; or obtain a portable copy
of the data. The bill defines a controller as a person that, alone or jointly
with others, determines the purposes and means of processing personal
data. A processor means a person that processes personal data on behalf
of a controller.

The bill:
• Specifies how controllers must fulfill duties regarding
consumers’ assertion of their rights, transparency, purpose
specification, data minimization, avoiding secondary use,
care, avoiding unlawful discrimination, and sensitive data;
• Requires controllers to conduct a data protection
assessment for each of their processing activities involving
personal data that present a heightened risk of harm to
consumers, such as processing for purposes of targeted
advertising or processing sensitive data; and
• May be enforced only by the attorney general or district

Current Status:

Senate Committee on Business, Labor, & Technology Refer Amended to Appropriations (05/05/2021)
Senate Considered House Amendments - Result was to Concur - Repass (06/08/2021)

Return to Search Menu