The Colorado Privacy Act

The Colorado Privacy Act takes effect July 1st and will cover nonprofits organizations and those service providers, contractors, and vendors that manage, maintain, or provide services on an organizations’ behalf.   Organizations and entities that process the personal data of 100,000 or more individuals in a calendar year or exchange the personal data of 25,000 or more individuals in a calendar year will be subject to the Act.

The Privacy Act will require organization and entities to:

  • Confirm whether they do or do not process individuals’ personal data and provide them with access to that information. 
  • Enable individuals to opt out of the processing of their personal information.
  • Provide individuals the right to correct inaccurate personal information.
  • Provide individuals with the right to have personal information deleted.
  •  Provide a meaningful privacy notice to individuals detailing their various rights.

While the Colorado Nonprofit Association cannot tell any organization that what they are doing or planning to do aligns with the Colorado Data Privacy Act, what we can say is that any proactive step to be in compliance with the Act is a solid start.

Although the Colorado Attorney General’s Office has finalized initial rules (and we anticipate at least one more round of rulemaking), there is little guidance on the Privacy Act.  The Colorado Nonprofit Association has secured a commitment from the Attorney General, himself, that he would lead a co-branded training between the Colorado Attorney General’s Office and the Colorado Nonprofit Association.  We anticipate this training will be held in July.  The Colorado Nonprofit Association has had initial conversations with the Attorney General and his staff and we will be working closely with them to develop training sessions based on this guidance.  While attending this training will not guarantee compliance, it is evidence that an attendee is trying to comply with the law. 

The Colorado Attorney General’s Office has made it clear that there will be leniency for organizations that are taking steps to be compliant with the Act even if they are not yet fully compliant and an opportunity to come into compliance.  The Attorney General’s office will be less favorable to those organizations and businesses that are willfully thwarting the law and ignoring the spirit of the Act.  And, because this is an entirely new system that the Attorney General’s office is creating, enforcement will also take some time beyond the July 1st enactment date.