top of page

An Intro to the Colorado SB-190 Consumer Privacy Law in Under 10 Minutes

Two States in the US have recently past consumer privacy laws, with others such as Colorado looking to sign into law their own state bill.

Colorado is the third state in the United States (US) to pass a consumer protection law. Senate Bill 190 now awaits Gov. Jared Polis’ signature. SB-190 would direct the Colorado attorney general to write rules for companies to follow in order to comply with the legislation. The state attorney general or district attorneys could penalize companies that violated SB-190’s requirements using existing laws on deceptive trade practices.

The Colorado Privacy Act does not apply to all companies or all people. Here are some highlights:

Companies impacted:

  • Intentionally targeting Colorado residents

  • Store or process personal data on more than 100,000 consumers per calendar year

  • Profits in some way from the sale or processing of personal data of at least 25,000 consumers

Data excluded:

  • Employment records, job applications

  • Personal data governed by state or federal laws, such as health or financial information

  • De-identified data, or data no longer linked to a specific consumer

  • Publicly available data in government records, such as property tax and home ownership records.

What consumers gain:

  • Can opt out of having personal data collected, processed or sold that is being used for targeted advertising or profiling purposes

  • Access, correct or delete the personal data a company has stored, or get a copy of it free of charge once every 12 months (there could be a charge for a second request within the year).

The pending Colorado measure would take effect July 1, 2023. By then, the attorney general’s office needs to have rules in place to specify what universal opt-out mechanisms can be used. Having that authority to make the rules was the only way Colorado Attorney General Phil Weiser said he would support the bill.

“For our support, we needed rulemaking authority to make sure that if a company said, ‘We’re giving someone the opt-out choice,’ but if the opt out was so misleading or difficult to access that it wasn’t a real opt-out choice, that was not going to cut it,” Weiser said.

For companies that already changed their policies after Europe’s strict General Data Protection Regulation passed in 2016 or California’s California Consumer Privacy Act went into effect last year, the changes required in Colorado should be easy to address.

Whether you live in the state or not, if you are doing business with residents that live in that state you may be liable to adhere to the specifics of that state’s privacy law regulation and data breach laws.

Compliance and the protection of the consumer can be overwhelming. The Sybersafe compliance team and Dsyfer can provide organizations with subject matter experts and a suite of products for managing one of your greatest threats. No matter what your burning compliance need is, Sybersafe has a solution for your organization. For more information, call a client service member at 480.779.4653 or email

# # # # # #

This press release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 (the "Act"). In particular, when used in the preceding discussion, the words "believes," "expects," "intends," "will," “plans,” “hopes,” "anticipated," or "may," and similar conditional expressions are intended to identify forward-looking statements within the meaning of the Act, and are subject to the safe harbor created by the Act. Except for historical information, all of the statements, expectations and assumptions contained in the foregoing are forward-looking statements that involve a number of risks and uncertainties. Actual results could differ from those projected in any forward-looking statements due to numerous factors. Such factors include, among others, the inherent uncertainties associated with the Company’s business focus, Sybersafe assumes no obligation to update or correct forward-looking statements, and also assumes no obligation to update or correct information prepared by third parties that are not paid for by the Company.

24 views0 comments


bottom of page