Legislative Alert: Colorado Privacy Act Passes State Senate, Signed Into Law By Governor

By: Jill Szewczyk & Jacqueline Leahy

On June 8, 2021, the Colorado Senate passed the Colorado Privacy Act (CPA). It was then signed into law by Colorado Governor Jared Polis on July 7, 2021, and will go into effect on July 1, 2023. The CPA follows in the tradition of the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA) by creating consumer rights and imposing requirements on businesses to guarantee greater protections over consumers’ personal data. 

The CPA applies to entities that conduct business or intentionally target products or services to Colorado residents, and that either: control or process personal data of more than 100,000 consumers per calendar year directly or through processors; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. The CPA contains notable exclusions for financial institutions subject to the federal Gramm-Leach-Bliley Act and for some types of health and patient information maintained by HIPAA covered entities.

Personal Data 
“Personal data” under the CPA is defined more broadly than “personal information” is defined in Colorado’s existing data security law. The CPA defines personal data to include “information that is linked or reasonably linkable to an identified or identifiable individual.” Neither publicly available nor de-identified information are included within this definition. As such, the CPA’s definition differs substantially from the Colorado data security statute’s definition of “personal information,” which is limited in scope to a Colorado resident’s first name or first initial and last name in combination with specific data elements, including (but not limited to) a Social Security number, student ID, military ID, drivers’ license or other state ID card, and/or passport information.

Consumer Rights
The CPA provides rights to “consumers”, which include only Colorado residents acting in an individual or household context, and expressly exclude individuals acting in a commercial or employment context. The CPA grants consumers several rights, including the right to: opt out of certain personal data processing; access their personal data; correct inaccurate personal data; and delete personal data. Consumers are also granted the right to obtain copies of their data in portable and – to the extent possible – readily usable formats. Consumers can exercise these rights by submitting formal requests, to which data controllers must respond without undue delay and within 45 days from the date the request is received. Where requests are numerous or complex, data controllers can extend the initial 45-day period by an additional 45 days, provided that notice of this extension is given to the consumer who made the request.

New Requirements for Regulated Businesses
The CPA requires controllers and processors to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risks of data collection and processing. Controllers must also conduct data protection assessments for data processing that presents a heightened risk of harm to consumers, such as data processing for the purpose of targeted advertising or the processing of specific types of sensitive data that may include ethnic, religious, or medical information. 

The CPA imposes duties on data controllers to uphold consumers’ rights under the Act, requiring transparency in privacy practices, measures to secure personal data, specified purposes for which personal data is collected and used, and minimization of personal data. It also requires consumer consent for any secondary use of personal data and/or processing of sensitive data. Data controllers must also avoid unlawful discrimination against consumers in line with anti-discrimination laws in place at the state and federal levels. 

Unlike the CCPA, the CPA does not create a private right of action allowing individual consumers to sue for violations. Instead, Colorado’s attorney general and district attorneys have exclusive enforcement powers, which enable them to impose penalties up to $20,000 per violation for each consumer involved. The maximum penalty Colorado’s attorney general and district attorneys can impose under the CPA is $500,000 for one series of related violations.

Will Regulators Issue Rules or Guidance on the CPA? 
The Colorado attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms under the CPA by no later than July 1, 2023. At the attorney general’s discretion, further rules governing processes for issuing opinion letters and interpretive guidance may be issued and adopted until January 1, 2025.

Though the CPA will not go into effect until July of 2023, businesses that are regulated by the Act would do well to take a proactive approach to ensure their practices are compliant with the CPA and that they have the necessary protocols and mechanisms in place to respond to consumers’ requests by the time the statute goes into effect. Lewis Brisbois’ Data Privacy & Cybersecurity Team has considerable experience advising businesses on such matters and working closely with senior leadership to craft appropriate policies and procedures to ensure compliance with all state and federal data security regulations

For more information on the CPA, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up. Visit our Data Privacy & Cybersecurity Practice page to learn more about this team’s capabilities.

NOTE: This post was updated on July 13, 2021 following the governor's signature and enactment of the law.

< Previous Post Next Post >

Related Attorneys

Find an Attorney

Each of the Firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.