Technology has, of course, produced a mix of good things and bad. It has placed a vast amount of information (some of it even reliable) within easy reach. However, it has also allowed personal information to be captured and used for targeted marketing and other intrusions into daily life, and it has enhanced the risk of identity theft.

For the last several decades now, Congress and state legislatures have been flailing away trying to find an acceptable balance between information accessibility and privacy. Examples of federal laws paying close attention to privacy include the Health Insurance Portability and Accountability Act (HIPAA); the Fair Credit Reporting Act; the Children’s Online Privacy Protection Act; the Family Education Rights and Privacy Act; and the Fair Debt Collection Practices Act. Internationally, the European Union has been aggressive in prioritizing privacy, culminating in the 2018 adoption of something called the General Data Protection Regulation. Then, at the state level, California, in 2020, became the first state to put in place a comprehensive privacy statute, modeled after the European Union regulation, called the California Privacy Rights Act.

Not to be left behind, in 2021, Colorado joined the parade with the Colorado Privacy Act (Senate Bill 21-90), which looked to the California statute for inspiration. Most of the Colorado act became effective July 1 of this year and entities covered by the act are busy trying to design policies and procedures to comply with its requirements. Another nine states have passed similar legislation and are in the process of implementing their laws.

Since there is no single wide-ranging federal privacy law, much effort is being made to cause the various state laws being adopted to be substantially uniform. The hope is that entities acquiring and processing personal data in multiple jurisdictions will not have to reinvent the wheel for each state where they have a presence.

It’s not easy to summarize the Colorado Privacy Act other than to say it imposes new requirements on entities (including nonprofit entities) that acquire, process and use consumer data — that is, data tied to individuals “acting only in an individual or household context.” Under the act, covered entities must provide detailed information to people whose data is being collected and processed, to include a statement as to what the collecting entity does with the data and why it thinks it needs the data.

Under the act, the privacy rights information given to consumers must be presented in a clear and meaningful, consumer-friendly manner. And data-collecting entities need to limit their activities to what is “reasonably necessary” in relation to the purposes for which data are being collected. Covered entities must take steps to secure their data from unauthorized acquisition and they are required to weigh the benefits derived from their data collection and processing activities against potential risks these activities might create. As a major push in the direction of useful consumer protections, consumers will have the right to obtain a copy of the data being collected about themselves and to delete or correct such information.

The act contains various opt-in and opt-out provisions intended to allow individuals to customize their own particular needs for accessibility and privacy. These provisions are to be “clearly described” and “easy to use by the average consumer” (i.e., not just people under the age of, say, 30).

Of note, the act does not allow for a private right of action. So you can’t sue an entity that violates the act. Instead, the act makes the state attorney general the cop on the beat, with authority to go after scofflaws and impose fines and other sanctions.

Under the Colorado Privacy Act, it’s now more important than ever that people pay attention to the privacy rights notices they will receive from entities with which they communicate and participate in securing for themselves the privacy rights the act allows.

Jim Flynn is a business columnist. He is of counsel with the Colorado Springs firm Flynn & Wright LLC. He can be contacted at moneylaw@jtflynn.com.

Money and the Law columnist Jim Flynn