The Colorado Privacy Act (the "CPA") was signed into law on July 8, 2021 by Governor Jared Polis, only 6 months after Virginia enacted its data privacy law, the Virginia Consumer Data Privacy Act ("VCDPA"). You can learn more about the VCDPA in our previous blog post. The CPA not only creates new rights to consumers and obligations to businesses, but also authorizes the Colorado Attorney General to promulgate additional rules and regulations to govern opinion letters and interpretive guidance to develop an operational framework for CPA compliance.
Effective July 1, 2023, businesses that control or process data must comply with the CPA if they: (a) conduct business in Colorado or (b) produce products or services that are targeted to residents of Colorado and
- Controls or processes personal data of at least 100,000 consumers, or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers
The CPA grants six rights to consumers—the same rights granted under the VCDPA:
- Right to confirm whether a controller is processing a consumer's personal data
- Right to access the personal data processed by a controller
- Right to correct inaccuracies in the consumer's personal data
- Right to delete personal data provided by or obtained by a controller
- Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and
- Right to opt out of processing of personal
- Targeted advertising
- Sale of personal data; and
A consumer may exercise the first rights above through a consumer request process that is identical to the VDPA, including the ability to appeal a consumer request denial.
Like the VCDPA, the CPA grants consumers the right to opt-out of processing for targeted advertising, the sale of personal data, and profiling. Unlike the VCDPA, the CPA requires businesses to establish a process to allow a person or technological mechanism (such as a browser setting, extension, or global device setting) acting on behalf of a consumer to exercise the right to opt out. Additionally, the Colorado Attorney General will promulgate rules to detail technical specifications for a universal opt-out mechanism that must be adopted by businesses prior to July 1, 2024.
The CPA establishes seven additional duties to controllers of personal data, many of which are similar to the seven underlying principles of Europe's General Data Privacy Regulation ("GDPR"):
- Duty of purpose specification (express purpose for collecting data)
- Duty of data minimization (collection must be adequate, relevant, and reasonably limited)
- Duty to avoid secondary use (purposes of collection must be reasonably necessary to accomplish the specified purpose)
- Duty of care (take reasonable measures to secure personal data)
- Duty to avoid unlawful discrimination
- Duty regarding sensitive data
As with the VCDPA, the CPA also requires a data protection assessment in certain circumstances and a binding contract between a controller and processer to govern any data processing.
The CPA does not have a private right of action. After a business receives notice of a potential violation, the business has a 60-day cure period to resolve such violation. If the business continues to violate the CPA following the cure period, the Attorney General may initiate an action against the business to seek an injunction and/or civil penalties.
Notably, the notice and opportunity to cure provision of the CPA will be repealed on January 1, 2025. As such, any business must ensure their practices align with the requirements under the CPA as soon as possible. While many guiding regulations from the Colorado Attorney General are still to come, it is vital that businesses begin to prepare to comply with state data privacy laws to avoid the costs of investigation, possible injunction, and/or civil penalties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.