Section 6-1-1309 - Data protection assessments - attorney general access and evaluation - definition(1) A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after July 1, 2023, that present a heightened risk of harm to a consumer.(2) For purposes of this section, "processing that presents a heightened risk of harm to a consumer" includes the following:(a) Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: (I) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;(II) Financial or physical injury to consumers;(III) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or(IV) Other substantial injury to consumers;(b) Selling personal data; and(c) Processing sensitive data.(3) Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.(4) A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the "Colorado Open Records Act", part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.(5) A single data protection assessment may address a comparable set of processing operations that include similar activities.(6) Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.Added by 2021 Ch. 483, § 1, eff. 7/1/2023.