Colorado Passes Comprehensive Privacy Law - 4 Quick Takeaways

Womble Bond Dickinson

Womble Bond Dickinson

Colorado’s governor, Jared Polis, signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021.  

Colorado joins California and Virginia as the third state with a comprehensive privacy law in the United States. 

CPA adds nuance and complexity to the growing patchwork of US data protection requirements. We will follow-up with more discussion on how this impacts your business in the lead-up to the law’s effective date (July 1, 2023). Here are a few key highlights:

Who Is Protected?

CPA regulates Colorado residents in their individual or household capacity. It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).  

Who Is Regulated?

CPA regulates “controllers” that conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents (“consumers”) and meet one of two thresholds: (1) controls or processes personal data of at least 100,000 consumers or (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers. 

CPA does not apply to state agencies or political subdivisions of Colorado, entities or data subject to GLBA, higher education institutions and data collected by covered entities or business associates governed by HIPAA. 

What Changes Are Needed in Contracts?

The CPA requires controllers to include a list of provisions in their contracts with processors, including, but not limited to, requiring the processor to allow for audit and inspections and that its’ employees involved in the processing of data are subject to a duty of confidentiality.

How Will CPA Be Enforced?

CPA does not include a private right of action.  CPA may be enforced by the Colorado Attorney General’s Office and District Attorneys.  The AG and DAs will have authority to ask a court to enjoin businesses whose actions in violation of the CPA.  For the first two years of the law, entities will have a 60-day notice and cure period to remedy any violations of the law before the AG or DAs can initiate an enforcement action. This cure period will be automatically repealed on January 1, 2025.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Womble Bond Dickinson | Attorney Advertising

Written by:

Womble Bond Dickinson

Womble Bond Dickinson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.