Suppose a person living in Colorado is a registered member of a church. In this church, certain “blessings” are considered contingent on your membership. Membership is recorded on a digital system.
This church also considers donations to it a commandment.
It also has over 100,000 members.
Suppose this person wanted to officially leave the church and request that this membership data be deleted. Is the church in question obligated under the Colorado Privacy Act to comply with said request?
Probably not.
The Act applies to:
(1) EXCEPT AS SPECIFIED IN SUBSECTION (2) OF THIS SECTION, THIS PART 13 APPLIES TO A CONTROLLER THAT: (a) CONDUCTS BUSINESS IN COLORADO OR PRODUCES OR DELIVERS COMMERCIAL PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED TO RESIDENTS OF COLORADO; AND (b) SATISFIES ONE OR BOTH OF THE FOLLOWING THRESHOLDS: (I) CONTROLS OR PROCESSES THE PERSONAL DATA OF ONE HUNDRED THOUSAND CONSUMERS OR MORE DURING A CALENDAR YEAR; OR (II) DERIVES REVENUE OR RECEIVES A DISCOUNT ON THE PRICE OF GOODS OR SERVICES FROM THE SALE OF PERSONAL DATA AND PROCESSES OR CONTROLS THE PERSONAL DATA OF TWENTY-FIVE THOUSAND CONSUMERS OR MORE.
Colo. Rev. Stat. § 6-1-1304(1).
The Rules contain the following related definition:
“Commercial product or service” as referred to in C.R.S. § 6-1-1304(1)(a) means a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a Controller’s business, vocation, or occupation.
There is no case law on point, but generally speaking a house of worship or a church is not considered a business, so it is probably not within the scope of the Act.