Colorado Gov. Polis signs data privacy act

Colorado became the third state to adopt a comprehensive data-privacy policy, following in the steps of California and Virginia.
Colorado Gov. Jared Polis
Colorado Gov. Jared Polis in Denver in January 2021. (Michael Ciaglo / Getty Images)

Colorado Gov. Jared Polis on Wednesday signed a data-privacy bill into law, making the state the third to enact a comprehensive policy aimed at protecting its residents’ personal information used in online business.

The new law, which state legislators approved overwhelmingly last month, gives Coloradans the ability to opt out from having their data collected, stored and sold by businesses operating in the state, as well as the ability to edit or delete it. It follows similar legislation enacted earlier this year by Virginia; both states’ new laws add to the legacy of the California Consumer Protection Act, the 2018 law that launched the patchwork of states creating their own data-privacy regulations in the absence of a nationwide framework.

In addition to better-known pieces of personal information like names, addresses and identification numbers, the Colorado law also aims to protect “sensitive data,” including anything that could reveal a person’s racial or ethnic origin, religious beliefs, gender identity, sexual orientation or citizenship status. It also bans so-called “dark patterns” — website interfaces designed to trick users into unintended choices that could result in the sharing of additional personal information.

Similar to the Virginia law, the Colorado Privacy Act gives the state attorney general and district attorneys the power to bring legal action against companies suspected of abusing or mishandling their customers’ personal information, but stops short of giving individuals the same ability — what’s known in legal parlance as a “private right to action.”


While data-privacy advocates in Virginia and Colorado succeeded in passing bills there, they’ve come up short elsewhere amid a flurry of action on the topic. A bill in Florida that could’ve resulted in some of the most aggressive rules anywhere in the country collapsed when lawmakers disagreed over the private right to action; legislation in Washington state has failed three years in a row over a similar dispute.

Still, in signing Colorado’s new law, which takes effect in 2023, Polis noted it is far from perfect and that lawmakers will need to make adjustments to ensure the state remains attractive to the tech industry, which has lobbied against state privacy bills.

“As our economy continues to evolve and innovate in response to the demands of technology and the internet, new protections are needed to prevent fraud, abuse, and misuse,” Polis, a former tech executive, wrote in a signing statement. “However, in the haste to pass this bill, several issues remain outstanding. My chief concern is ensuring Colorado’s competitiveness with other states as an incubator of new technologies and innovations. [The Colorado Privacy Act] will require cleanup legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill.”

Polis also wrote that he encouraged those talks to continue and that the Colorado Privacy Act “become a template for a nationwide standard passed by Congress in the future.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts