On July 8, 2021, the Colorado Privacy Act (CPA) was signed into law with an effective date of July 1, 2023. Colorado became the third US state, after California and Virginia, to enact a comprehensive privacy law. The objective and basic consumer rights provisions within CPA are not very different from these state privacy laws. However, unlike the California Consumer Privacy Act (CCPA), CPA has adopted the controller-processor approach of the General Data Protection Regulation (GDPR). Earlier this year, Virginia, with its Virginia Consumer Data Protection Act (VCDPA), adopted a very similar approach. Similar to GDPR, the controller is the one who determines the purpose and means of processing, while the processor is the one who processes the personal data on behalf of the controller. The CPA expects the controller to perform a data protection assessment where processing presents “a heightened risk of harm” to the consumer.
The CPA applies to the controller who does business in Colorado or who “deliver[s] commercial products or services targeted toward the resident of the state.” Unlike CCPA, the CPA does not have a revenue threshold. The law is applicable only when the “controller processes the personal data of 100,000 consumers or more during a calendar year” and/or “derives revenue or receives discount on the price of goods or services from the sale of personal data and controls or processes the personal data of [25,000] consumer[s] or more.” Additionally, the law is applicable only in an individual or household context; commercial or employment context is not included in the scope of the law.
Similar to CCPA and VCDPA, the CPA provides certain rights to the consumer as outlined below:
Similar to CCPA, the CPA does not expect a consumer to create a new account with the controller to exercise his/her rights. The law expects the controller to authenticate the identity of the consumer while responding to the consumer requests. The controller needs to fulfill the consumer request free of charge within 45 days, with an option to extend it for another 45 days, “depending on the complexity and number of the requests.” However, for any subsequent consumer request within a 12-month period, the controller may charge a fee. In situations where a controller may deny a consumer request, the CPA provides the consumers the right to appeal.
Similar to GDPR, the CPA requires the controllers and the processors to follow certain requirements as outlined below:
Unlike CCPA, both the attorney general and district attorneys can enforce the law. Prior to initiating any action against the controller, the enforcement authority will issue a notice of violation and the controller will have 60 days to cure. However, this provision to cure will be repealed after January 1, 2025. The law does not provide explicit guidance about penalties or fees for privacy violation. However, any violation of the act will be considered as a deceptive trade practice.
Even before organizations had the ability to digest and prepare for the VCDPA, organizations have another new state privacy law to incorporate into their operations. With other state laws in the pipeline, organizations should prepare themselves with a comprehensive privacy compliance program. Many may wonder where to start and what is the most efficient approach toward developing this type of robust privacy program. Organizations should start with gaining an understanding of the data that it is collecting, processing, retaining, and sharing with third parties and developing a data inventory to understand the flow of consumer personal information across business units, service providers, and third parties. Organizations will then be able to conduct current state assessments against any new privacy laws to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements.
1 Sensitive data is defined as personal data related to “racial origin, mental health condition, citizenship, sexual orientation, biometric data,” etc.
2 Child is defined as an “individual under 13 years of age.”