Colorado's “comprehensive” privacy law officially became law this week, with a 2 year runway to get up and running with compliance before it becomes effective. Beleaguered companies scrambling to pivot their CCPA compliance to accommodate California's newer CPRA law and Virginia's new privacy law before their effective dates 18 months from now are asking “what's new here?”
The good news for companies already doing business in California and/or Virginia and planning for compliance with those laws, is that there is not really anything fundamentally new here. The bad news is that even if you are fully compliant with CCPA (and many companies are still working toward that in at least some respects), there is a lot to get done between now and the effective dates of these newer laws, as all 3 of them go well beyond CCPA's requirements. And, each state has certain nuances – likely to be further amplified as the regulators provide guidance on these new laws – that may pose some challenges to operationalizing compliance.
Colorado's law applies to companies who do business in (or target their goods and services) to Colorado and who either (a) control or process the data of 100,000 or more Colorado consumers annually, or (b) control or process the data of 25,000 or more Colorado consumers annually and derive revenue or receive a discount on prices of goods or services from the sale of personal data. So, if you find yourself subject to this law, here are 5 key things you need to know:
- Scope: Colorado's law does NOT apply to employee data or b2b/contractor data. So far, only California's CPRA statute has this broader scope.
- Rights: Colorado consumers will have access, correction, deletion, and opt-out rights very similar to those in California and Virginia. The one place where Colorado may end up being notably different from the others is that the Colorado AG is to issue regulations on a “user-selected universal opt-out” and companies will be required to honor that opt-out by July 1, 2024.
- Sensitive Information: Like in Virginia, you will need a consumer's opt-in consent to process sensitive information. Contrast this to California, where consumers will have only the right to opt-out or limit use of sensitive information. Either way, you are going to need to identify and flag the sensitive information you have in your systems and be able to treat it differently than the rest, noting that what each state has defined as “sensitive” is a little different. For instance, the CPRA uniquely includes data like SSN and financial account data as sensitive, and Virginia and Colorado (but not California) include data from a known child.
- Risk Assessments: Like in Virginia and California, documented risk assessments will be required for certain types of data processing activities. Companies will need to build time into project plans to accommodate these requirements.
- Enforcement: As in Virginia, there is no private right of action, but AG penalties could be much higher: up to $20,000 per violation as opposed to up to $7,500.
Of course, it will be important to work through the specific requirements of each of the 3 new laws as further regulations or legislative updates occur between now and the effective dates, but we expect that with proper planning and preparation – which should start now -- companies will be able to cohesively manage compliance across the 3 states. One key issue to determine is whether you will adopt an overall compliance program that has one set of practices applicable across the 3 states (or all states) or whether you will handle the data and rights of each state's consumers differently, depending on the definitions or requirements of each statute.
You may also be asking yourself: what is lurking around the corner? Similar privacy legislation has been considered in Washington, Florida, New York, Massachusetts, and many other states, and although these have not made it over the finish line, we have every expectation that legislatures will continue working on privacy measures and that these types of compliance obligations will continue to spread throughout the United States in the coming couple of years. Rather than reinvent the wheel, Colorado chose – often word for word – the clauses from either California's CPRA or Virginia's CDPA that it liked best, and we hope that other states will mostly do the same.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.