On June 8, 2021, the Colorado General Assembly adopted the Colorado Privacy Act (“CPA”). If signed by Governor Jared Polis, Colorado will join California and Virginia as the third state in the Union to pass comprehensive data privacy legislation. Following in the footsteps of the California Consumer Privacy Act (“CCPA”) and Virginia Consumer Data Protection Act (“CDPA”), the CPA will establish certain consumer data privacy rights and require businesses to protect consumers’ personal data. Similar to the CDPA, the application of the CPA will not begin until July 1, 2023. However, if enacted, it is important that companies soon consider implementing CPA compliance measures.
What are the main CPA requirements?
Colorado Privacy Law Details
The CPA would apply to “legal entities that carry on business or manufacture products or services that intentionally target Colorado residents” and that also meet at least one of the following criteria: 1) control or process data personal accounts of more than 100,000 consumers in a calendar year; or 2) earn income from the sale of personal data and control or process the personal data of at least 25,000 consumers. Personal data protected by certain federal laws, such as the Gramm-Leach-Bliley Act, and health and patient information covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) will be exempt from the Act of 1996. Colorado on privacy.
Similar to the CDPA, the CPA defines “personal data” as “information that is related or reasonably related to an identified or identifiable person”. The definition excludes anonymized or publicly available information.
Consumer rights and enforcement
The CPA includes a number of consumer privacy rights that are included in the CCPA. For example, the CPA gives consumers the right to: 1) refuse the processing of their personal data; 2) access, correct or delete their data; and 3) obtain a portable copy of their data. Similar to that of the EU General Data Protection Regulation (“GDPR”), the CPA makes a distinction between a “controller” and a “processor”. The CPA defines a “controller” as “a person who, alone or jointly with others, determines the purposes and means of processing personal data”. A “processor” is simply that, a person who processes personal data on behalf of a controller. If the law is enacted, data controllers would be required to conduct a data protection assessment for activities involving personal data that pose an increased risk of harm to consumers, such as processing for targeted advertising purposes. or the processing of sensitive data. “Sensitive data” includes, in part, personal data that reveals racial or ethnic origin, citizenship, genetic or biometric data and personal data of children.
The CPA does not include a private right of action for consumers, entrust the enforcement of the Colorado privacy law exclusively to the office of the Colorado attorney general and the respective offices of district attorneys. Parties who violate the CEA face penalties not exceeding $ 2,000 per violation, but not exceeding $ 500,000 in total for any series of related violations. Businesses would first be notified of suspected violations by the Colorado attorney general’s office or district attorneys. After receiving the notice, companies would have sixty (60) days to remedy the alleged violations. Similar to the CCPA, the CPA would allow the Colorado attorney general’s office to adopt rules for the technical specifications of universal opt-out mechanisms. These rules are expected to be passed by July 1, 2023. Businesses should continue to monitor the CPA and other state-specific data privacy laws to avoid significant investigations and fines.