(1) Except as specified in subsection (2) of
this section:
(a) This part 13, other than sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5,
applies to a controller that:
(I) (A) Conducts business in Colorado or produces or delivers commercial
products or services that are intentionally targeted to residents of Colorado; and
(B) Satisfies one or both of the following thresholds: controls or processes
the personal data of one hundred thousand consumers or more during a calendar
year; or derives revenue or receives a discount on the price of goods or services
from the sale of personal data and processes or controls the personal data of
twenty-five thousand consumers or more; or
(II) Controls or processes any amount of biometric identifiers or biometric
data regardless of the amount of biometric identifiers or biometric data controlled
or processed annually; except that a controller that meets the qualifications of this
subsection (1)(b) but does not meet the qualifications of subsection (1)(a) of this
section shall comply with this part 13 only for the purposes of a biometric identifier
or biometric data that the controller collects and processes;
(b) Sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5 to 6-1-1313 apply to a
controller that conducts business in Colorado or delivers commercial products or
services that are intentionally targeted to residents of Colorado.
(2) This part 13 does not apply to:
(a) Protected health information that is collected, stored, and processed by a
covered entity or its business associates;
(b) Health-care information that is governed by part 8 of article 1 of title 25
solely for the purpose of access to medical records;
(c) Patient identifying information, as defined in 42 CFR 2.11, that are
governed by and collected and processed pursuant to 42 CFR 2, established
pursuant to 42 U.S.C. sec. 290dd-2;
(d) Identifiable private information, as defined in 45 CFR 46.102, for purposes
of the federal policy for the protection of human subjects pursuant to 45 CFR 46;
identifiable private information that is collected as part of human subjects research
pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International
Council for Harmonisation of Technical Requirements for Pharmaceuticals for
Human Use or the protection of human subjects under 21 CFR 50 and 56; or
personal data used or shared in research conducted in accordance with one or more
of the categories set forth in this subsection (2)(d);
(e) Information and documents created by a covered entity for purposes of
complying with HIPAA and its implementing regulations;
(f) Patient safety work product, as defined in 42 CFR 3.20, that is created for
purposes of patient safety improvement pursuant to 42 CFR 3, established
pursuant to 42 U.S.C. secs. 299b-21 to 299b-26;
(g) Information that is:
(I) De-identified in accordance with the requirements for de-identification set
forth in 45 CFR 164; and
(II) Derived from any of the health-care-related information described in this
section;
(h) Information maintained in the same manner as information under
subsections (2)(a) to (2)(g) of this section by:
(I) A covered entity or business associate;
(II) A health-care facility or health-care provider; or
(III) A program of a qualified service organization as defined in 42 CFR 2.11;
(i) (I) Except as provided in subsection (2)(i)(II) of this section, an activity
involving the collection, maintenance, disclosure, sale, communication, or use of
any personal data bearing on a consumer's creditworthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or mode of living
by:
(A) A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);
(B) A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that
provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a
(d); or
(C) A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.
(II) This subsection (2)(i) applies only to the extent that the activity is
regulated by the federal Fair Credit Reporting Act, 15 U.S.C. sec. 1681 et seq., as
amended, and the personal data are not collected, maintained, disclosed, sold,
communicated, or used except as authorized by the federal Fair Credit Reporting
Act, as amended.
(j) Personal data:
(I) Collected and maintained for purposes of article 22 of title 10;
(II) Collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq., as amended, and implementing
regulations, if the collection, processing, sale, or disclosure is in compliance with
that law;
(III) Collected, processed, sold, or disclosed pursuant to the federal Driver's
Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq., as amended, if the
collection, processing, sale, or disclosure is regulated by that law, including
implementing rules, regulations, or exemptions;
(IV) Regulated by the federal Children's Online Privacy Protection Act of
1998, 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and
maintained in compliance with that law; or
(V) Regulated by the federal Family Educational Rights and Privacy Act of
1974, 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;
(k) Data maintained for employment records purposes;
(l) An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et
seq., as amended, and 49 U.S.C. sec. 41713, as amended;
(m) A national securities association registered pursuant to the federal
Securities Exchange Act of 1934, 15 U.S.C. sec. 78o-3, as amended, or
implementing regulations;
(n) Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) or an authority as defined in section 43-4-503 (1), if the data are not
collected, maintained, disclosed, sold, communicated, or used except as authorized
by state and federal law;
(o) Data maintained by a state institution of higher education, as defined in
section 23-18-102 (10), the state, the judicial department of the state, or a county,
city and county, or municipality if the data is collected, maintained, disclosed,
communicated, and used as authorized by state and federal law for noncommercial
purposes. This subsection (2)(o) does not effect any other exemption available
under this part 13.
(p) Information used and disclosed in compliance with 45 CFR 164.512; or
(q) A financial institution or an affiliate of a financial institution as defined by
and that is subject to the federal Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et
seq., as amended, and implementing regulations, including Regulation P, 12 CFR
1016.
(3) The obligations imposed on controllers or processors under this part 13
do not:
(a) Restrict a controller's or processor's ability to:
(I) Comply with federal, state, or local laws, rules, or regulations;
(II) Comply with a civil, criminal, or regulatory inquiry, investigation,
subpoena, or summons by federal, state, local, or other governmental authorities;
(III) Cooperate with law enforcement agencies concerning conduct or activity
that the controller or processor reasonably and in good faith believes may violate
federal, state, or local law;
(IV) Investigate, exercise, prepare for, or defend actual or anticipated legal
claims;
(V) Conduct internal research to improve, repair, or develop products,
services, or technology;
(VI) Identify and repair technical errors that impair existing or intended
functionality;
(VII) Perform internal operations that are reasonably aligned with the
expectations of the consumer based on the consumer's existing relationship with
the controller;
(VIII) Provide a product or service specifically requested by a consumer or
the parent or guardian of a child, perform a contract to which the consumer is a
party, or take steps at the request of the consumer prior to entering into a contract;
(IX) Protect the vital interests of the consumer or of another individual;
(X) Prevent, detect, protect against, or respond to security incidents, identity
theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the
integrity or security of systems; or investigate, report, or prosecute those
responsible for any such action;
(XI) Process personal data for reasons of public interest in the area of public
health, but solely to the extent that the processing:
(A) Is subject to suitable and specific measures to safeguard the rights of
the consumer whose personal data are processed; and
(B) Is under the responsibility of a professional subject to confidentiality
obligations under federal, state, or local law; or
(XII) Assist another person with any of the activities set forth in this
subsection (3);
(b) Apply where compliance by the controller or processor with this part 13
would violate an evidentiary privilege under Colorado law;
(c) Prevent a controller or processor from providing personal data
concerning a consumer to a person covered by an evidentiary privilege under
Colorado law as part of a privileged communication;
(d) Apply to information made available by a third party that the controller
has a reasonable basis to believe is protected speech pursuant to applicable law;
(e) Apply to the processing of personal data by an individual in the course of
a purely personal or household activity;
(f) Require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers, but a
controller that chooses to conduct commercially reasonable age estimation to
determine which consumers are minors is not liable for an erroneous age
estimation; and
(g) Impose any obligation on a controller or processor that adversely affects
the rights of any person to freedom of speech or freedom of the press guaranteed
by the first amendment to the United States constitution.
(4) Personal data that are processed by a controller pursuant to an
exception provided by this section:
(a) Shall not be processed for any purpose other than a purpose expressly
listed in this section or as otherwise authorized by this part 13; and
(b) Shall be processed solely to the extent that the processing is necessary,
reasonable, and proportionate to the specific purpose or purposes listed in this
section or as otherwise authorized by this part 13.
(5) If a controller processes personal data pursuant to an exemption in this
section, the controller bears the burden of demonstrating that the processing
qualifies for the exemption and complies with the requirements in subsection (4) of
this section.