Colorado Privacy Act joins growing wave of state data privacy laws
This article is part of a series providing insight and updates on the latest state data privacy legislation. Click here to learn about Virginia's data privacy law.
Following suit with what is expected to be a wave of states joining California in expanding data security protections for consumers and heightening requirements for businesses to protect consumer data, Colorado enacted the Colorado Privacy Act (CPA) on July 8, 2021. The law becomes effective July 1, 2023 and is similar in scope to the privacy law Virginia passed last year as well
How does the CPA define “personal data” and “consumer”?
Like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDP), Colorado broadly defines “personal data” to include information that is linked or reasonably linkable to an identified or identifiable individual. “Consumer” is an individual who is a Colorado resident acting online in an individual or household context. The law does not cover individuals acting in a commercial or employment context. Business contacts, employees, and job applicants therefore do not have the same rights as “consumers” under the Colorado law.
What businesses does the CPA apply to?
Unlike the CCPA, the Colorado law does not include a revenue threshold. The law applies to entities that conduct business in Colorado and either process data relating to 100,000 or more consumers per year, or derive revenue from the sale of personal data for 25,000 or more consumers. Unlike other state data privacy legislation, the Colorado Privacy Act does not exempt non-profit organizations. However, similarly to the CCPA and VCDPA, the Colorado Act exempts data maintained by state or government agencies and entities regulated by other federal laws such as the Gramm Leach Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act (HIPAA).
The Colorado law follows a GDPR-like distinction between controllers and processors and requires that the entities enter into a contract or agreement that sets out the instructions from the controller to the processor for the processing of personal data, the type of personal data that will be shared with the processor for the services being performed, and other requirements for deletion of data and auditing of policies.
Colorado residents’ rights under the CPA
The law gives Colorado residents the rights of access, correction, deletion, and data portability. Controllers must disclose these rights in a “reasonably accessible, clear, and meaningful privacy notice.” Such data access, correction, deletion, or portability requests must be processed quickly and the requesting consumer must be provided with information on any action or inaction within 45 days of the initial request.
On the law’s effective date, Colorado consumers will be able to request to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling.
Like Virginia, the Colorado Act does not provide a private right of action; however, it allows for broad enforcement by the Attorney General and district attorneys and a higher potential penalty for violations of up to $20,000, compared to the $7,500 maximum penalty under the Virginia and California acts. Additionally, under the Act, each consumer involved may constitute a separate violation and the maximum penalty for a series of related violations is $500,000. The CPA also provides that a violation will be considered a deceptive trade practice.
Entities operating in Colorado are encouraged to review the law in greater detail and begin the process now of revising and updating internal policies and procedures, as well as external privacy policies and notices, to establish a compliant culture well in advance of the law’s effective date.