After California and Virginia, Colorado recently became the third state to pass a comprehensive consumer data privacy bill. Although this new Colorado Privacy Act (CPA) overlaps with the California and Virginia privacy laws, it differs from those laws in some respects. For example, it does not generally exempt nonprofit organizations from its scope, but generally exempts information in the employment and business-to-business context. This new Colorado law will become effective on July 1, 2023. Further, it permits the Colorado attorney general to develop regulations implementing the CPA and provides a process for issuing opinion letters and interpretive guidance.
The CPA applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents AND either:
The CPA exempts certain entities and/or types of personal information. Some limited examples include the following:
The CPA defines a “controller” as a person or entity that “alone or jointly with others, determines the purposes for and means of processing personal data.” Controllers must provide Colorado consumers the following data subject rights:
Controller and Processor Responsibilities
A “processor” is a person or entity (i.e., service provider or vendor) that processes personal data on behalf of a controller. Some notable requirements for controllers and processors under the CPA (in addition to those already noted for controllers above) include:
The CPA can be enforced by district attorneys and the Colorado attorney general through injunctions or civil penalties. Civil penalties may be up to $2,000 per violation and are not to exceed $500,000 for any related series of violations. There is no private right of action for violations of the CPA, but violations constitute a deceptive trade practice for purposes of public enforcement. Notably, the CPA provides a 60-day cure period for controllers to rectify non-compliance before the attorney general or district attorney may take enforcement action. This cure period will be phased out after January 1, 2025, at which time the Colorado attorney general may act without such notice.
As the new California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and Colorado Privacy Act (CPA) go into effect January 1, 2023, organizations should start preparing for compliance with these laws during the remainder of 2021 and in 2022. Many of the efforts required to comply with the CPRA and CDPA will assist with CPA compliance. However, organizations should take care to implement measures that adequately address the unique aspects of each law.
CPA requirements will be further developed and clarified as the Colorado attorney general implements regulations and provides regulatory guidance. Additionally, as Colorado gathers public feedback regarding the CPA, the Colorado General Assembly may enact legislation to fine-tune the CPA in the relatively near future. Because multiple states have enacted consumer privacy laws, and more will likely soon follow, businesses obligated to comply with multiple state laws should consider adopting policies and procedures that apply to consumers in multiple states, following the most restrictive applicable state requirements.