That Makes Three! The U.S. States Trickle Toward Extending Consumer Data Privacy Protections with Colorado’s Privacy Act

Adams and Reese LLP

Adams and Reese LLP

On July 8, Governor Jared Polis of Colorado signed a bipartisan bill into law that enhances consumers’ data privacy rights. Colorado is the third state to enact comprehensive data privacy legislation, following California and Virginia, with the passage of the Colorado Privacy Act (CPA).

Colorado’s new legislation recognizes that consumers are increasingly reliant on sharing their data to facilitate routine transactions. Sharing data can be useful to consumers and businesses, but such frequent use also accompanies risks. This is the twofold issue the state addresses with its new law: (1) encouraging the use and development of technologies that incorporate consumer data and (2) while ensuring the security of personal data through enhanced rules and enforcement mechanisms. This framework also guides how to review the legislation.

Looking at the Law

The CPA guarantees consumers certain rights, including:

At the same time, the law mandates that businesses take certain measures:

  • safeguard personal data
  • provide clear, understandable, and transparent information to consumers about how their personal data is used
  • strengthen compliance and accountability by requiring data protection assessments of the collection and use of personal data, and
  • grant access to the Attorney General and District Attorneys for evaluation, enforcement, and prevention purposes.

CO Privacy Act

The CPA defines controller as one who:

a) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and

b) satisfies one or both of the following provisions:

  1. controls or processes the personal data of 100,000 consumers or more during a calendar year; or
  2. derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Classification is Key

The law distinguishes between processors and controllers.

More limited role. More active in data transfer process and the legislation.
Process personal data on behalf of controllers. Can work alone or with other controllers.
Required to abide by controller's instructions. Determine the purposes for and methods by which processing of personal data can occur.
Assist the controller in completing its obligations. Must respond to consumer requests.
Required to ensure the processor's subcontractors are bound by a duty of confidentiality. If the subcontractor is unwilling, the processor should not contract with it.

Duties of:

  • Transparency
  • Purpose specification
  • Data minimization
  • To avoid secondary use
  • Care
  • Avoid unlawful discrimination
  • Regarding sensitive data

The CPA is similar to the European Union’s General Data Protection Regulation and California’s and Virginia’s privacy law models. Considering that the California Consumer Privacy Act (CCPA) was the first data privacy law within the United States, it is helpful to compare it with Colorado’s law.



  • Text of CCPA excludes non-profits; however, there can be overlap if a non-profit has a for-profit subsidiary or joint venture, for example.
  • Applies to for-profit businesses that meet any of the following:
  1. a gross annual revenue in excess of $25 million;
  2. buy, receive, sell personal information of 50,000 or more California residents, households, or devices; or
  3. derive 50% or more of their annual revenue from selling California residents’ personal information.


  • No specific carve-out for controllers of non-profit entities based on the definition of controller.
  • No revenue thresholds included; however, the CPA applies:
  1. to businesses that process personal information of 25,000 consumers and receive revenue or other valuable consideration for the sale of personal data; and
  2. even if a business derives less than 50% of its gross annual revenue from sales of personal data.

Consumer Rights

  • A California resident may ask businesses subject to the CCPA:
  1. to disclose the personal information they have about the resident,
  2. what they do with that information,
  3. to delete that information,
  4. to not sell that information,
  • Notification rights, including:
  1. the right to be notified before or after collection of your personal information,
  2. to be notified of the types of information collected, and
  3. the purposes and uses of collection.

Consumer Rights

  • Right of access
  • Right of correction
  • Right of deletion
  • Right to receive data and share it in a technical format
  • Right to opt out
  • Right to appeal


  • Includes a private right of action.
  1. Enforcement via the Attorney General of California and the California Department of Justice.


  • No private right of action.
  1. Enforcement via the Attorney General, District Attorneys of Colorado.


  • No consumer right of appeal.


  • Consumers have a right to appeal if a business denies the consumer a right granted under the CPA.

Next Steps

The CPA does not take effect until July 1, 2023. Until then, it is wise for businesses to prepare and adjust their policies to ensure they will be compliant. Once effective, businesses will be cited for non-compliance and have 60 days to cure deficiencies until January 1, 2025, at which point companies will no longer receive a grace period of 60 days.

The Attorney General takes enforcement measures, which can include civil penalties of $20,000 per violation with a maximum penalty of $500,000 for one related event. A violation will be considered a deceptive trade practice.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Adams and Reese LLP | Attorney Advertising

Written by:

Adams and Reese LLP

Adams and Reese LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.