Colorado is now the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia. The Colorado Privacy Act (the “CPA”), passed by the state’s General Assembly as SB 190, is currently awaiting signature by Governor Jared Polis. If signed, the CPA will become effective July 1, 2023.
The CPA includes a mix of concepts similar to those found in other comprehensive privacy legislation passed in the U.S. (e.g., the California Consumer Privacy Act (the “CCPA”) and Virginia’s Consumer Data Protection Act (the “CDPA”)), as well as the European Union’s General Data Protection Regulation (the “GDPR”). Key aspects of the CPA include the following:
The Attorney General is authorized to promulgate rules for carrying out the CPA, which will likely provide additional clarity regarding the specific provisions of the CPA and how they will be interpreted and enforced. Entities that are already in compliance with the GDPR and the CCPA or the CDPA are likely largely in compliance with the CPA already. However, entities that are not subject to the GDPR, the CDPA or the CCPA, but that are subject to the CPA, should start planning now how to comply with the CPA by July 2023.