This may sound familiar, but another state has joined the data collection party. Colorado has passed the Colorado Privacy Act, yet another piece of the patchwork privacy laws across the US that are slowly increasing privacy obligations on businesses. So how closely does the Colorado Privacy Act follow other state legislation? How, if at all, does it differ from already-existing legislation? What do businesses need to comply with the Colorado Privacy Act, if at all?
What is the Colorado Privacy Act?
The Colorado Privacy Act includes the main features of data privacy laws we've come to expect, specifically including giving consumers (a) a right to opt out of targeted ads, sale of personal data or profiling; (b) a right to access information regarding the consume: (c) a right to correct information; (d) a right to deletion; and (e) a right to "portability" of information, (i.e. downloading whatever information has been collected by the company), as well as imposing duties on the entities collecting the information, such as only using information for the purposes it is collected, and a duty to notify why the information is requested. Further, these rights, made via consumer requests, are akin to the California Consumer Privacy Act (CCPA), and require verification. However, the Colorado Privacy Act provides instruction on what to do when the request is denied, including instructions regarding an appeal, as Colorado is the first state to specify that an appeals process needs to be in place.
Also, following the lead from the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act further limits the affected companies to entities that collect the information of 100,000 consumers, though it differs by including those entities that also collect the information of 25,000 consumers and get revenue or provide discounts on goods or services from the sale of that personal data. This results in a net that is wider than the one cast in Virginia, but smaller than the CCPA and upcoming California Privacy Rights Act (CPRA), as those include a revenue trigger where entities that make beyond a certain amount become subject to the law. Also, akin to the VCDPA, there is an explicit exclusion for individuals engaging in business to business transactions, or those seeking employment.
Further, one more note of importance, the Colorado Privacy Act follows recent revisions to regulations pertaining to the CCPA which explicitly forbids the use of "dark patterns," which are deliberate attempts to subvert or confuse the opt-out process. For example, this could be done by utilizing a website interface that makes the option for opting out difficult to find, behind a "more info" link, or utilizing double-negatives in explaining how to opt out (i.e. "do not uncheck this box if you wish to have your information collected").
For those who have already taken proactive measures regarding the CCPA and VCDPA, little to no action should be necessary. If you have not complied with these existing privacy laws, and your company does business with Colorado residents, you will need to launch a compliance program. Preparation and education still are the best remedy, especially as these laws seem to be taking inspiration from one another, and updates to one will likely cause ripples throughout, such as California's addressing of Dark Patterns in regulations, or the separate treatment of "data brokers" under the CCPA and VCDPA, which resulted in the expansion of Nevada's privacy law to specifically address those entities. Colorado, unlike other states, does not lay out the costs of non-compliance in the Colorado Privacy Act. Instead, the law relies on the definition of a violation as a "deceptive trade practice" under the Colorado Consumer Protection Act starting at $2,000 per violation, and capping out at $500,000 for any related series of violations. This both is less per violation, and a lower maximum cost compared to the CCPA and VCDPA.