Colorado’s new data privacy law is in effect as of July 1, and Attorney General Phil Weiser is alerting businesses that his office will enforce the law.

Under the Colorado Privacy Act, adopted by lawmakers in 2021, companies covered under the law must:

• Provide consumers with clear, understandable, and transparent information about how and why they collect, store, use, share, and sell personal data
• Respond to consumer requests to access, delete, correct, and get a portable copy of their personal data
• Allow consumers to opt out of the sale of personal data as well as targeted advertising and certain kinds of profiling
• Obtain consent before collecting or using sensitive data

Businesses subject to the Colorado Privacy Act are those that operate in Colorado or target Colorado citizens and collect data on more than 100,000 individuals, or that receive revenue from the sale of personal data for more than 25,000 individuals.

The law also applies to collection of sensitive data, a subset of personal data, which includes any personal data regarding a child under the age of 13; data on the race, ethnic origin or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and biometric data that is used for identifying an individual.

It applies to Colorado citizens while browsing the internet or signing up for a retail rewards program, but not for data collected for employment or data covered under the federal health care privacy law, known as HIPAA. Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act; air carries under the FAA and national securities associations registered under the Securities Exchange Act are also exempt.

An announcement from Weiser’s office Wednesday said the first round of letters would focus on legal obligations for companies covered under the law, with an emphasis on collection and use of sensitive data, including the law’s requirement that companies obtain consumer consent prior to collecting sensitive data, and the obligation to allow consumers to opt out of targeted advertising and profiling.

“As I’ve said publicly throughout the process, this Department’s enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy. Our enforcement of this important law will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts,” Weiser said Wednesday. “These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

Enforcement is up to the attorney general and not private citizens, according to the attorney general’s website.