Colorado Next in Line for Comprehensive Privacy Law
By Jacqueline Cooney, John Gasparini and Kimia Favagehi
Colorado will likely soon have its very own comprehensive privacy law. Colorado’s legislature recently passed the Colorado Privacy Act (SB21-190) (“CPA”). If signed into law by Governor Jared Polis (as is widely expected), the CPA will become the third major comprehensive privacy law in the United States after the California Consumer Privacy Act (“CCPA”), which was recently amended by the California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“VCDPA”).
Similar to California, Virginia, and the EU’s General Data Protection Regulation (“GDPR”), the CPA addresses common points in privacy legislation, including consumer rights, requirements for data controllers and processors, and whether there is a private right of action.
If signed, the CPA will go into effect on July 1, 2023.
The CPA creates personal data privacy rights for Colorado residents and specifies how companies must provide those rights. It applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to residents in Colorado, and that either (1) control or process personal data of at least 100,000 consumers per calendar year; or (2) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The CPA includes certain exceptions to the law— it does not apply to air carriers, some publicly available information, de-identified data, employment records, and certain data governed by state or federal laws. Additionally, the CPA defines “consumer” as “an individual who is a Colorado resident acting only in an individual or household context,” but excludes individuals in a commercial or employment capacity. Moreover, the CPA defines “personal data” as “information that is linked or reasonably linkable to an identified or identifiable individual.”
The CPA creates a number of consumer rights similar to California’s laws, the VCDPA, and the GDPR. While not fully fleshed out by the legislation, they are:
- Right to opt out: Consumers may opt out of data processing for purposes of targeted advertising, sales, and profiling. Consumers can also universally opt out of any targeted advertising and the sale of personal data. Still, the CPA will allow controllers to ask consumers for their consent to process personal data even if they originally opted out.
- Right of access: Consumers will have access to their personal data and may verify whether a controller processes it.
- Right to correction: Consumers can correct inaccuracies in their personal data.
- Right to deletion: Consumers will have the right to delete their personal data.
- Right to data portability: Consumers can obtain their personal data in a portable and readily usable format that can be transmitted to another entity.
Like the VCDPA, the CPA will not provide a private right of action. Rather, the Colorado Attorney General and local district attorneys will lead all enforcement actions. This is unlike California’s laws, which allow a private right of action for security incidents. Under the CPA, any violation will be identified as a deceptive trade practice. The CPA also provides the Colorado Attorney General with the authority to “promulgate rules for the purpose of carrying out [the CPA].”
Also, until January 1, 2025, before the Colorado Attorney General or district attorneys can pursue any enforcement actions, violating entities will have an established cure period of sixty days to remedy any violations.
Comparison to Other Privacy Laws
The CPA differs from existing state privacy laws in several ways. For example, the CPA’s definition of “consumer” is similar to the VCDPA, and both definitions exclude an individual acting in an employment or commercial capacity. California’s laws, however, do not make such exclusions. Additionally, the CPA includes many consumer rights that are present in both California and Virginia, including the right to correction. While absent from the CCPA, this right was added by the CPRA and is included in the VCDPA as well.
The CPA also shares many similarities with the GDPR. Perhaps most interesting is the CPA’s requirements that are similar to Article 28 of the GDPR, which requires specific contractual obligations to be executed between data controllers and processors. While California’s laws and the VCDPA also include similar contractual obligations, they are not laid out as specifically as they are in the CPA. Specifically, the CPA requires contracts between data controllers and processors that set out processing instructions regarding the duration and the type of personal data subject to the processing.
If the CPA is signed by Governor Jared Polis, Colorado will become the third state to have a comprehensive privacy law. Given its similarities to existing privacy laws, companies that are already compliant with the GDPR, the California privacy laws, and the VCDPA may have an advantage over companies that are not yet compliant. Still, all businesses subject to the CPA must take a close look at their privacy programs to ensure they comply with these new requirements.