In Colorado, just when it appeared that efforts to pass data privacy legislation would go on hiatus, a successful last-minute push enabled it to become the second state this year, and third overall, to enact comprehensive privacy legislation.
The Colorado Privacy Act (CPA) adds to myriad sector-specific regulations and anticipates additional regulations aimed at cybersecurity. While it is similar to Virginia and California's data privacy statutes, there are some distinct differences, and since other states will likely follow suit, organizations may need to consider a patchwork approach.
Broader Opt-Out and Enforcement Powers
The consumer opt-out right under the CPA is different from California and Virginia. By 2024, companies must allow consumers to opt out through a global privacy control browser, rather than on a website-by-website basis. While the details of this global browser setting have not been determined and will be specified by the Colorado Attorney General (AG) by July 2023, companies must allow consumers across all websites to opt out of data processing that involves the sale of personal data, targeted advertising or profiling.
Enforcement is also slightly different under the CPA. In addition to the AG, any of the state's 22 district attorneys can bring an enforcement action, a first in privacy legislation in the U.S. If enforcement ensues, the CPA includes a 60-day cure period for companies to bring their practices in line with the CPA's requirements.
Restricted Use of 'Dark Patterns' and Data
The CPA is also the first statute to explicitly prohibit obtaining consumer consent through the use of dark patterns. Dark patterns - which manipulate users of websites and apps into doing things they did not intend - often implicate data collection and consumer consent, and thus have become a recent focus of regulators.
The Federal Trade Commission (FTC) and California AG have both taken action to address dark patterns this year, the FTC through a workshop hosted in April and California through modification of the CCPA's regulations. Colorado's inclusion of this provision in its legislation could signal the start of a trend.
Controllers under the CPA are also subject to a few unique requirements, including the requirement to minimize the use of personal data by limiting the collection of personal data to what is adequate, necessary and relevant to the specified purpose.
Similarities between CPA and Existing Regulations
Organizations attempting to comply with the CPA can take comfort in knowing a lot of it is borrowed from existing regulations. For example, the rights to access, review and correct data are similar to the California Consumer Privacy Act (CCPA), Consumer Data Protection Act (CDPA) in Virginia, Global Data Protection Regulation (GDPR) in Europe, and various sector-specific laws. Like the CCPA, CDPA and GDPR, companies are also required to enter into written agreements with third parties, vendors and service providers that process data on their behalf.
The CPA's consumer notice requirements are also similar to other legislative frameworks. Under the CPA, companies must maintain a privacy notice that describes the categories of data collected, the purposes for which data is processed, how and where consumers may exercise their rights, and the categories of third parties with whom data is shared, among other things.
The CPA's applicability and scope are also limited in ways similar to the CDPA. For example, under both the CPA and CDPA, the definition of a "consumer" does not encompass individuals acting in a commercial or employment context, job applicants, or beneficiaries of individuals acting in an employment context.
Summary of Current State Legislation
The table below contains an overview of some of the key differences between the legislation in Colorado, Virginia and California:
| Colorado (CPA) | Virginia (CPDA) | California (CPRA) | California (CCPA) | |
| Effective Date | July 2023 | January 2023 | January 2023 | January 2020 (will be replaced by CPRA in 2023) |
| Companies Subject to the Law |
Companies that meet either of the following:
Nonprofit entities that meet the above thresholds are subject to the requirements. |
Companies that meet either of the following:
Nonprofit entities are exempt. |
Companies that meet any of the following:
Nonprofit entities are exempt. |
Companies that meet any of the following:
Nonprofit entities are exempt. |
| Special Requirements for Sensitive Data? | Yes | Yes | Yes | No |
| Consumer Opt-Out Rights? | Yes - compliance with a universal opt-out through a global privacy control browser setting required by July 2024 | Yes - on a website-by-website basis | Yes - on a website-by-website basis | Yes - on a website-by-website basis |
| Purpose/Processing Limitations | Yes | Yes | Yes | Yes |
| Requires a Risk Assessment or Data Protection Assessment? | Yes - for certain processing activities | Yes - for certain processing activities | Yes - for certain processing activities | No |
| Special Requirements for Youth Data? | No | Yes - opt-in required if under 13 | Yes - opt-in required if under 16 | Yes - opt-in required if under 16 |
For a more in-depth discussion of the varying requirements across
the U.S.'s broad regulatory scheme, please join us this fall
for Armstrong Teasdale's Digital Transformation Webinar Series.
Sign up to receive forthcoming information about
the series.
Originally published July 14, 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
