Colorado Becomes the Latest State to Enact a Comprehensive Privacy Law

The Centennial State recently enacted a comprehensive new privacy law.  The Colorado Privacy Act (ColoPA) will become effective on July 1, 2023, six months after the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VA CDPA), which both take effect on January 1, 2023.  ColoPA is substantially similar to existing state privacy laws and the EU’s General Data Protection Regulation (GDPR), but there are some key differences. The remainder of this article summarizes the important aspects of ColoPA and how they compare to existing state privacy laws.

ColoPA defines “consumer” to mean a natural person who is a Colorado resident acting only in an individual or household context in providing personal data, which is analogous to the VA CDPA’s definition of consumer and is narrower than the comparable definitions used in the CCPA and the GDPR.  ColoPA specifically excludes an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of something acting in an employment context.

Under ColoPA “personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publicly available information.

ColoPA applies to legal entities that conduct business in, or produce products or services that are targeted to Colorado consumers and that either (1) control or process personal data or more than 100,000 Colorado consumers per calendar year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data, and control or process the personal data of at least 25,000 Colorado consumers.

ColoPA’s applicability standards are similar to those in the VA CDPA, although ColoPA’s second applicability standard is broader, encompassing the receipt of discounts as well as revenue from the sale of personal data.

Compliance Roles
ColoPA is similar to the GDPR and the VA CDPA in that it defines two main compliance roles: controllers and processors.   Controllers are required to perform a data protection assessment of any processing activities that present a heightened risk of harm to consumers, which includes processing for targeted advertising, profiling, and the sale of personal or sensitive data.

Those acting as a processor of data are to be governed by a contract that describes the type of data subject to processing, confidentiality obligations, subcontracting requirements, security measure, and audit rights.

Consumer Rights
Like existing state privacy laws, ColoPA grants consumers the right to make requests to (1) opt-out of certain types of processing; (2) access their personal data; (3) correct inaccuracies in their personal data; (4) delete their personal data; and (5) obtain a copy of their personal data in a portable format.

ColoPA’s opt-out rights are similar to those in the VA CDPA, in that they allow consumers to opt-out of processing of their personal data for purposes of targeted advertising, the sale of personal data, or for profiling the consumer in a way that produces legal or similarly significant effects on the consumer.  A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary. Like under the VA CDPA, a controller must also provide consumers with an appeals process if it denies a consumer’s request.

Rules and Enforcement 
The Colorado Attorney General will promulgate rules for a universal opt-out mechanism under ColoPA by July 1, 2023, and will further promulgate rules for issuing opinion letters and interpretative guidance to develop an operational framework, including a safe harbor for compliance, by July 1, 2025.

Thankfully, there is no private right of action under ColoPA. Instead, the Colorado Attorney General and district attorneys have exclusive enforcement rights. Upon receipt of a notice of violation, a controller has 60 days to cure the violation. However, the right to cure will be repealed on January 1, 2025.

As state after state introduces its own privacy legislation, the compliance challenges mount, which will increase the pressure on Congress to enact a single, comprehensive privacy law at the federal level that will preempt conflicting state law. Until that happens, those companies that may be subject to ColoPA should start planning for compliance, however challenging that might be.

You must be logged in and authorized to view this content.