Ask Reggi Your Question Now
Can I disclose personal information for a business purpose without complying with CCPA in Colorado? What are the requirements?
Disclosure of Personal Information for Business Purpose in Colorado
The Colorado Privacy Act (CPA) [1.3] is a comprehensive privacy law that regulates the collection, use, and disclosure of personal information by businesses operating in Colorado. The CPA applies to businesses that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and that meet certain revenue or data processing thresholds.
Under the CPA, a business may disclose personal information for a business purpose without complying with the CPA if the business meets certain requirements [1.3]. Specifically, the business must:
- Implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information and the nature and size of the business [3.1].
- Enter into a contract with the recipient of the personal information that prohibits the recipient from using the personal information for any purpose other than performing the services specified in the contract and requires the recipient to implement and maintain reasonable security procedures and practices [1.3].
- Obtain the consumer’s consent to the disclosure [1.3].
It is important to note that the CPA does not preempt other state or federal laws that regulate the collection, use, and disclosure of personal information, including the California Consumer Privacy Act (CCPA) [1.2]. Therefore, businesses that are subject to the CCPA must comply with its requirements when disclosing personal information of California residents, even if they are also subject to the CPA.
In summary, a business may disclose personal information for a business purpose without complying with the CPA in Colorado if it implements and maintains reasonable security procedures and practices, enters into a contract with the recipient of the personal information, and obtains the consumer’s consent to the disclosure.
Source(s):
- [1.2] Disposal of personal identifying information - policy - definitions.
- [1.3] COLORADO PRIVACY ACT
- [3.1] Governmental entity - protection of personal identifying information - definition.
Jurisdiction
Colorado