Support Centre

Colorado

Summary

Law: The Colorado Privacy Act ('CPA')

Regulator: The Colorado Attorney General ('AG')

Summary: With the CPA, Colorado became the third US State to pass its own privacy law. The CPA provides several privacy rights, including the right to opt-out of the processing of personal data, as well the right to access, correction, or deletion of personal data, or to obtain a portable copy of the data. Furthermore, the CPA imposes obligations on data controllers such as purpose specification, data minimization, and the use of sensitive data, among others. In addition, the CPA requires controllers to conduct assessments when processing personal data in activities that present a heightened risk to consumers and assigns enforcement powers to the AG and District Attorneys. The CPA entered into effect on 1 July 2023.

On 30 September 2022, the AG published its draft rules implementing the CPA. In particular, these rules would expand privacy requirements under the CPA and address topics, such as consumer requests, data protection assessments, profiling, and the universal opt-out mechanism. On 15 March 2023, the finalized CPA rules were filed with the Colorado Secretary of State's Office and will enter into effect on 1 July 2023.

In addition to the CPA, House Bill 18-1128 for an Act Concerning Strengthening Protections for Consumer Data Privacy ('the Act') was signed into law and entered into force on 29 May 2018. The Act amends § 6-1-713 of the Colorado Revised Statutes and concerns, among other things, the disposal of personal identifying information by requiring a written policy to be developed for the destruction or proper disposal of such documents. The Colorado Revised Statutes, as amended by the Act, sets out the breach notification requirements, including stipulating the content and timeframe for notices to be sent to the AG.

You can track other US State bills through our US State Law Tracker.

Insights

In this Insight article, John Romano and Jessie Adamson, from Baker Tilly, delve into Colorado's recent regulatory developments, specifically focusing on life insurers' utilization of Big Data, external consumer information, algorithms, and predictive models.

On 15 March 2023, the Colorado Attorney General's ('AG') Office announced it had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State. The CPA Rules will go into effect on 1 July 2023 - the same date the Colorado Privacy Act ('CPA') goes into effect.

The CPA Rules both operationalise the CPA and create additional compliance obligations for controllers, including in the areas of privacy notices, processing purposes, secondary uses, data minimisation, the processing of sensitive data inferences, Data Protection Assessments ('DPAs'), and profiling. David Stauss, Partner at Husch Blackwell LLP, identifies and discusses those areas and provides key takeaways for controllers that must comply with the CPA.

In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended'). Other states are adopting similar legislation: on 7 July 2021, the Colorado Governor, Jared Polis, signed Senate Bill 21-190 for the Colorado Privacy Act1 ('CPA') into law.

Lothar Determann, Helena Engfeldt, Jonathan Tam, and Tom Tysowksy, from Baker & McKenzie LLP, draw comparisons between the CPA and the CPPA as amended, focusing on who and what data is protected, compliance, and enforcement.

The Colorado Attorney General ('AG') announced, on 15 March 2023, that they had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State's Office. In particular, the CPA Rules implement the Colorado Privacy Act ('CPA') and expand on privacy requirements, including consumer requests, data protection assessments, profiling, and the universal opt-out mechanism, among other things.

In this Insight article, OneTrust DataGuidance Research provides an overview of the finalised version of the CPA Rules, highlighting key requirements introduced by the same.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

On 30 September 2022, the Colorado Attorney General ('AG') published its draft rules implementing the Colorado Privacy Act ('CPA') ('the Draft Rules'). In this three-part Insight series, OneTrust DataGuidance Research breaks down the key provisions of the Draft Rules. Part three is dedicated to data protection assessments, profiling, and next steps in the rulemaking process as outlined in the Notice of Proposed Rulemaking ('the Notice').

In part one, we examined definitions, disclosure obligations, and consumer data protection rights under the Draft Rules. In part two, we provided an overview of the Universal Opt-Out Mechanism, duties of controllers, and consent.

On 30 September 2022, the Colorado Attorney General ('AG') published its draft rules implementing the Colorado Privacy Act ('CPA') ('the Draft Rules'). In this three-part Insight series, OneTrust DataGuidance Research breaks down the key provisions of the Draft Rules. In part two, we provide an overview of the Universal Opt-Out Mechanism, duties of controllers, and consent.

In part one, we examine definitions, consumer disclosure obligations, and consumer personal data rights under the Draft Rules. In conclusion, part three is dedicated to data protection assessments, profiling, and next steps in the rulemaking process.

On 30 September 2022, the Colorado Attorney General ('AG') published its draft rules implementing the Colorado Privacy Act ('CPA') ('the Draft Rules'). In this three-part Insight series, OneTrust DataGuidance Research breaks down the key provisions of the Draft Rules. In part one of this Insight series, we examine definitions, consumer disclosure obligations, and consumer personal data rights under the Draft Rules.

Part two provides an overview of the Universal Opt-Out Mechanism, duties of controllers, and consent. In conclusion, part three is dedicated to data protection assessments, profiling, and next steps in the rulemaking process.

The Colorado Senate re-passed, on 8 June 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy ('CPA'), following their consideration of amendments made to SB 21-190 by the Colorado House of Representatives.

On 7 June 2021, the bill was signed by the Governor. The CPA will enter into effect on 1 July 2023.

Feedback