Colorado Privacy Act

Page Updated: April 22, 2024

CHA Advocacy Principle: Support transparency, communication, and shared responsibility for reforms.

What Has Been Completed:

On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act. On March 15, 2023, the Colorado Attorney General’s (AG) Office filed the final Colorado Privacy Act (CPA) Rules. The rules went into effect on July 1, 2023. The rules detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data. The CPA does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act (HIPAA).

The exemptions provided for covered entities only extend to the following categories of personal information: personal health information (PHI); de-identified information; patient identifying information; identifiable private information; health care information that is processed solely for the purpose of access to medical records; information or documents created by CHA for HIPAA compliance purposes; information derived from any health care-related information; or patient safety work product information. Any personal information that does not fall under the definitions of the categories listed here will be subject to the CPA Rules. Entities must provide consumers with a clear disclosure that their personal information may be subject to sale or sharing and the option to opt out of the sale or sharing of their personal information.    

Resources:

• Finalized Rules
• Colorado Privacy Act Rulemaking Webpage

CHA Staff Contact: Adeline Ewing, CHA manager of public policy, [email protected]