Applicability of part
(1)Except as specified in subsection (2) of this section, this part 13 applies to a controller that:
(a)Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(b)Satisfies one or both of the following thresholds:
(I)Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
(II)Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
(2)This part 13 does not apply to:
(a)Protected health information that is collected, stored, and processed by a covered entity or its business associates;
(b)Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;
(c)Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd-2;
(d)Identifiable private information, as defined in 45 CFR 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);
(e)Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;
(f)Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b-21 to 299b-26;
(g)Information that is:
(I)De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and
(II)Derived from any of the health-care-related information described in this section;
(h)Information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:
(I)A covered entity or business associate;
(II)A health-care facility or health-care provider; or
(III)A program of a qualified service organization as defined in 42 CFR 2.11;
(i)Intentionally left blank —Ed.
(I)Except as provided in subsection (2)(i)(II) of this section, an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:
(A)A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);
(B)A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a (d); or
(C)A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.
(II)This subsection (2)(i) applies only to the extent that the activity is regulated by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal “Fair Credit Reporting Act”, as amended.
(I)Collected and maintained for purposes of article 22 of title 10;
(II)Collected, processed, sold, or disclosed pursuant to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
(III)Collected, processed, sold, or disclosed pursuant to the federal “Driver’s Privacy Protection Act of 1994”, 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;
(IV)Regulated by the federal “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or
(V)Regulated by the federal “Family Educational Rights and Privacy Act of 1974”, 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;
(k)Data maintained for employment records purposes;
(l)An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as amended, and 49 U.S.C. sec. 41713, as amended;
(m)A national securities association registered pursuant to the federal “Securities Exchange Act of 1934”, 15 U.S.C. sec. 78o-3, as amended, or implementing regulations;
(n)Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;
(o)Data maintained by a state institution of higher education, as defined in section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not effect any other exemption available under this part 13.
(p)Information used and disclosed in compliance with 45 CFR 164.512; or
(q)A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR 1016.
(3)The obligations imposed on controllers or processors under this part 13 do not:
(a)Restrict a controller’s or processor’s ability to:
(I)Comply with federal, state, or local laws, rules, or regulations;
(II)Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
(III)Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;
(IV)Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
(V)Conduct internal research to improve, repair, or develop products, services, or technology;
(VI)Identify and repair technical errors that impair existing or intended functionality;
(VII)Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller;
(VIII)Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
(IX)Protect the vital interests of the consumer or of another individual;
(X)Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
(XI)Process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing:
(A)Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
(B)Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or
(XII)Assist another person with any of the activities set forth in this subsection (3);
(b)Apply where compliance by the controller or processor with this part 13 would violate an evidentiary privilege under Colorado law;
(c)Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;
(d)Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law; and
(e)Apply to the processing of personal data by an individual in the course of a purely personal or household activity.
(4)Personal data that are processed by a controller pursuant to an exception provided by this section:
(a)Shall not be processed for any purpose other than a purpose expressly listed in this section or as otherwise authorized by this part 13; and
(b)Shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized by this part 13.
(5)If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (4) of this section.
Section 6-1-1304 — Applicability of part,
https://leg.colorado.gov/sites/default/files/images/olls/crs2023-title-06.pdf (accessed Oct. 20, 2023).