The Landscape Gets Rockier: Colorado Becomes Third State to Pass a Comprehensive Data Privacy Law

July 9, 2021

By: Amber L. Lawyer, Shannon A. Knapp, and Maureen H. Milmoe

Colorado has officially become the third state to enact a comprehensive consumer privacy act. The Colorado Privacy Act (CPA) passed the state’s legislature in June and had been awaiting the Governor’s signature. On July 7, Gov. Jared Polis signed the CPA, marking another important development in United States’ data privacy law. Like its U.S. predecessors, the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA) (recently amended by the California Privacy Rights Act (CPRA)), the CPA provides consumers with greater control over their personal data and places certain obligations on businesses to handle consumers’ data responsibly. The CPA will go into effect on July 1, 2023. Some of the most important aspects of the law are detailed below. 

Who does the law apply to? 

The CPA applies to any legal entity that conducts business in Colorado, produces or delivers products and/or services intentionally targeted to residents of Colorado; and meets at least one of the following thresholds: (1) controls or processes personal data of more than 100,000 consumers per year; or (2) has some financial connection to the sale of personal data and processes or controls personal data of more than 25,000 consumers per year. 

There are a few exceptions, but essentially all private entities meeting these requirements would be subject to the CPA. Unlike VCDPA and CCPA, CPA does not contain an exemption for nonprofit organizations. Therefore, a nonprofit organization that meets one of the above thresholds would be subject to the law. However, CPA does not apply to certain businesses including public utilities, airline carriers, state entities, and state institutions of higher education. Exemptions also exist for entities collecting data regulated by other data privacy regimes. 

What does CPA do? 

Much like the Virginia and California laws, CPA establishes certain privacy rights for Colorado consumers. Specifically, CPA largely mirrors VCDPA by expanding Colorado consumers’ rights to access, correct, delete, and transfer their personal data. Importantly, CPA also gives Colorado consumers the right to opt-out of the sale of personal data, targeted advertising, and various types of profiling. In addition, CPA requires covered businesses to obtain affirmative consent before processing sensitive personal data, such as personal data revealing race, ethnic origin, religion, mental or physical health, or sexual orientation. 

CPA covered entities must update their internal processes and external notices to comply with the law. Businesses must provide a reasonably accessible, clear privacy notice to consumers that contains disclosures including detailing the personal data the business collects and what it may be used for. Covered entities may also be required to perform data protection assessments for certain high risk activities including targeted advertising, sale of personal data, the processing of sensitive data, and other activities that present a heightened risk of harm to consumers. The CPA imposes other compliance obligations on covered businesses, including transparency, specification of purpose for processing personal data, data minimization, avoidance of secondary use of the personal data and a duty of care. 

What are the enforcement mechanisms? 

The Colorado Attorney General and district attorneys have exclusive authority to enforce compliance with the CPA. Importantly, the CPA does not create a private right of action for consumers. Initially, CPA includes a cure period for violations, giving businesses a little breathing room to come into compliance. However, the cure period will automatically terminate in July of 2025.  

The Colorado Attorney General has the rulemaking authority regarding all technical specifications under the Act. Concerning civil penalties, violations of CPA can include injunctive relief and fines up to $20,000 per violation, with each consumer or transaction involved constituting a separate violation. 

What does this mean for your business? 

The Colorado Privacy Act is the newest state legislation to hit the complicated U.S. data privacy landscape. Companies that conduct business in multiple states, including Colorado, will want to ensure compliance with each state’s data privacy laws, and should not overlook the differences among them. Specifically, businesses subject to CPA will want to work on compliance efforts now to ensure adequacy when the law becomes effective, including updating your privacy policy and contracts to reflect CPA specific requirements. 

For more information regarding the Colorado Privacy Act and compliance efforts businesses should be taking, contact Amber Lawyer, Shannon Knapp or any attorney in the Cybersecurity and Data Privacy practice.