Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 7, 2021, making Colorado the third state – California and Virginia being the other two – to enact comprehensive privacy legislation. There is still no regulatory scheme at the federal level, and so companies and privacy professionals alike have taken great interest in the budding trends at the state level. Here are some brief takeaways from the new law.
What is it? This law provides consumers the right to access, correct, and delete personal data, and the right to opt out not only of the sale of personal data, but also of the collection and use of personal data. It also imposes an affirmative obligation on companies to safeguard personal data, to provide clear and transparent information to consumers about how their data is used, and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.
To whom does it apply? It applies to legal entities that conduct business or produce commercial products or services that intentionally target Colorado residents and that either:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Note that there are some exceptions to this general rule within the law.
When does the new law take effect? The new law goes into effect on July 1, 2023.
How is the law enforced, and what are the penalties should it be violated? The law does not create a private right of action. Violations of the CPA are considered “deceptive trade practices” under the existing Colorado Consumer Protection Act (CCPA). The Attorney General and district attorneys have exclusive enforcement authority, and can seek injunctive relief or civil penalties. The penalties under the CCPA were recently increased in 2019, from $2,000 to $20,000 per violation, and from $10,000 to $50,000 per violation if committed against an elderly person. The Attorney General or local district attorney must issue companies a notice of violation and grant them sixty (60) days to cure the violation before bringing an enforcement action. Note that this provision is set to expire on January 1, 2025.
Nexsen Pruet attorneys are actively monitoring the trends cropping up as these state legal regimes arise, and as discussions surrounding a potential federal law take place.