Earlier this month, the governor of Colorado signed into law the Colorado Privacy Act (CPA), making Colorado the third state to enact a comprehensive data security law after California in 2018 and Virginia in March 2021. The CPA will become effective on July 1, 2023.
The CPA is similar to Virginia’s Consumer Data Protection Act (VCDPA) and adopts some aspects of the European Union’s General Data Protection Regulation (GDPR), as well as California’s Consumer Privacy Act and Consumer Privacy Rights Act. The CPA applies to businesses that collect or process large amounts of consumer data and either do business in Colorado or target Colorado residents, but excludes coverage of financial institutions subject to the Gramm-Leach-Bliley Act and entities subject to the Health Insurance Portability and Accountability Act.
Unlike California’s laws, the CPA does not apply to employee data or business-to-business data collections.
Under the new law, as in Virginia, Colorado consumers will have new rights to access, correct, delete, and obtain copies of their personal data from covered businesses and, significantly, to opt out of having their personal data used for targeted advertising. With another nod to the GDPR, the new law also creates various responsibilities for companies that collect (controllers) and process (processors) consumers’ personal data to ensure security and privacy. As in Virginia, controllers have additional duties under the CPA to:
- Provide reasonable security to protect personal data;
- Obtain consent to process sensitive data;
- Enter into data processing agreements with their data processors containing specifically prescribed terms to protect consumers;
- Provide detailed privacy notices;
- Notify consumers if they sell personal data;
- Establish a means for consumers to request to exercise their rights under the CPA; and
- Conduct and document a data protection assessment for certain processing activities, including the sale and use of personal data.
Processors, in turn, must comply with the requirements set out in their data processing agreements and must assist controllers in meeting their obligations under the CPA.
Like the VCDPA, the CPA does not provide a private right of action. Rather, Colorado’s attorney general and district attorneys are tasked with enforcing the new data security law.
As Ulmer advised in March of this year after Virginia passed the VCDPA, there is a growing trend of states introducing and enacting such consumer data protection laws. Dozens of state legislatures are currently considering laws that relate to the protection of consumer personal data. The Ohio House of Representatives just introduced a new bill, HB 376 or the Ohio Personal Privacy Act, which would create new rights for consumers and new requirements on businesses when it comes to processing and protecting personal data.
Other states have enacted laws aimed at protecting employee privacy in the wake of return-to-work efforts. The balance between worker safety and privacy is difficult to maneuver, but several states are coming down on the side of privacy. Hawaii and Oregon have limited employers’ ability to track employees’ locations, which could limit states’ ability to collect information for COVID-19 contact tracing, while a new Montana law prevents employers from mandating COVID-19 vaccines for employees. At stake is employees’ right to protect the privacy of their health information versus their safety from infection by the virus in the workplace. Many other states are considering similar laws. This rapidly changing legal landscape can make it difficult for employers to stay current.
There is still time for businesses to assess whether they may be subject to the CPA and/or other states’ privacy laws. While it is challenging for businesses to comply with the patchwork of data privacy laws across the country, it is critical to do so to minimize or avoid costly investigations and penalties.
Ulmer’s Cybersecurity & Privacy Practice Group stays ahead of developing laws like the CPA and can help make sure that you comply with these and other potentially applicable privacy requirements.