Can I skip updating my privacy policy and other CCPA-related documents in Colorado? What are the requirements?

Colorado Privacy Policy Requirements

Colorado law requires governmental entities to create a privacy policy that standardizes the collection, storage, transfer, and use of personally identifiable information ^[1.1]. The policy must include a general statement supporting individual privacy, a provision for minimizing the collection of personally identifiable information, clear notice of the applicability of the “Colorado Open Records Act,” a method for feedback from the public on compliance with the privacy policy, and a statement that the policy extends to the collection of all personally identifiable information, regardless of the source or medium ^[1.1].

Additionally, any governmental entity that operates a worldwide website must establish and publish a privacy policy on its website by July 1, 2003 ^[1.1]. Failure to establish a privacy policy will prevent a governmental entity from operating a worldwide website after July 1, 2003 ^[1.1].

Applicability of Colorado Privacy Law

Colorado’s privacy law applies to controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to residents of Colorado and satisfy certain thresholds ^[2.3]. The law does not apply to certain types of information, including protected health information collected, stored, and processed by a covered entity or its business associates, identifiable private information collected as part of human subjects research, and data maintained for employment records purposes ^[2.3].

Colorado Privacy Act

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and will become effective on July 1, 2023 ^[2.1][2.4]. The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to residents of Colorado and satisfy certain thresholds ^[2.1]. The CPA requires controllers to provide a privacy notice to consumers that includes specific information, such as the categories of personal data collected, the purposes for which the data is used, and the categories of third parties with whom the data is shared ^[2.1]. The CPA also grants consumers certain rights, such as the right to access, correct, delete, and obtain a copy of their personal data ^[2.1].

Answer

Based on the information provided, it is not possible to determine whether a business can skip updating its privacy policy and other CCPA-related documents in Colorado. However, governmental entities are required to create a privacy policy, and controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to residents of Colorado may be subject to Colorado’s privacy law and the CPA. It is recommended that businesses consult with legal counsel to determine their specific obligations under Colorado law and the CPA.

Source(s):

• [1.1] Creation of a privacy policy for governmental entities.
• [2.1] COLORADO PRIVACY ACT
• [2.3] Applicability of part.
• [2.4] Short title.

Jurisdiction

Colorado

• Privacy