Colorado has become the third state to enact a comprehensive consumer data privacy statute. Passed by the Colorado General Assembly on June 8, 2021, and signed into law by Colorado Governor Jared Polis on July 7, 2021, the Colorado Privacy Act ("CPA") is slated to come into effect on July 1, 2023. The CPA includes various key concepts that will be familiar for those who followed the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), and the Virginia Consumer Data Protection Act ("CDPA"). For companies subject to the CPA but otherwise new to comprehensive consumer data privacy legislation, the July 2023 effective date allows time to strengthen data governance frameworks.

Similar to Virginia's CDPA, Colorado's CPA adopts a nomenclature that is more aligned with the terminology used in the European Union's General Data Protection Regulation ("GDPR") than that used by California's CCPA and CPRA. While the CPA may present significant and new obligations for companies that have not previously undertaken a GDPR (or CDPA) analysis-or have not made these rights available at a global scale-companies that have implemented "global GDPR compliance programs" will likely not struggle to meet the requirements set out by the CPA.

Key CPA distinctions for companies to consider include the new and controversial "universal opt-out mechanism" for consumers (to be clarified in regulations), the opt-in consent requirement for "sensitive data," and the ability of district attorneys-in addition to the state attorney general-to enforce the statute.

What Should Companies Start Thinking About?

The threshold question for any company facing this new law is to determine whether the CPA is likely to apply to data that the company collects or processes. As detailed in the "Scope of the CPA" section below, the statute sets out a test based on the scale of a company's operations in regard to its control or processing of personal data.

Companies that are likely to be subject to the CPA should follow the office of the Colorado Attorney General (the "CO AG"), currently led by technology policy veteran Phil Weiser, as the CPA empowers his office with rulemaking capabilities. Possible rulemaking may include clarifying ambiguous definitions and addressing compliance concerns, for example as related to the "universal opt-out mechanism."

For companies already subject to the CCPA (and/or GDPR), there will be similarities to and overlap with certain compliance elements, including in the area of data subject rights. For companies that have not yet had to comply with the CCPA or GDPR but will be subject to the CPA, the time before July 2023 provides an opportunity to conduct a data mapping and review of privacy/data governance programs. These efforts, as well as the implementation of attendant compliance programs, are a worthwhile investment, particularly as other state legislatures are actively considering comprehensive privacy laws of their own.

Scope of the CPA

The CPA applies to legal entities that conduct business in Colorado-or target Colorado residents-and that either (1) control or process personal data of more than 100,000 consumers per year, or (2) earn revenue from the sale of personal data and control or process personal data of more than 25,000 consumers. Similar to the CDPA and unlike the CCPA, the CPA does not have a minimum revenue threshold. Adopting GDPR nomenclature, the CPA refers to covered legal entities as "controllers."1

The CPA defines "consumer" narrowly as a Colorado resident acting only in an individual or household context, thus exempting employees and job applicants. Also, "personal data" is broadly defined as information that is linked or reasonably linkable to an identified or identifiable natural person, with exceptions for "de-identified data" and "publicly available information." The "de-identified data" exception is contingent on the controller taking certain measures to ensure that the data is not linkable to an individual and will not be re-identified.

In addition, the CPA exempts certain types of data and certain types of entities. Exempt entities include financial institutions subject to the Gramm-Leach-Bliley Act ("GLBA") and institutions of higher education. Exempt data include personal data subject to the GLBA, protected health information under the Health Insurance Portability and Accountability Act ("HIPAA"), personal information subject to the Fair Credit Reporting Act ("FCRA"), and data maintained for employment records purposes.

To view the full article, please click here.


1. A "controller" is defined in the CPA as "a person that, alone or jointly with others, determines the purposes and means of processing personal data."

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.