Colorado Joins US Privacy Landscape with Colorado Privacy Act
Colorado Governor Jared Polis signed Senate Bill (SB) 21-190, otherwise known as the Colorado Privacy Act (CPA), on July 7, 2021. The CPA will become effective on July 1, 2023. Colorado becomes the latest state to join the US Privacy Landscape with its own comprehensive privacy law following the Virginia Consumer Data Protection Act (CDPA), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA).
Watch the webinar to hear from OneTrust DataGuidance and a panel of experts on the new law in Colorado.
What is the CPA?
The CPA is a comprehensive privacy law passed in the state of Colorado, making it the third state after California and Virginia to pass such a law in the US. The CPA uses similar language to that found in the General Data Protection Regulation (GDPR) and its provisions are largely similar to those within the CDPA, however, there are several differences that should be taken into account including certain exemptions, penalties, and enforcement.
The CPA applies to any data controller that conducts business in Colorado or data controllers that produce or deliver commercial products or services intentionally targeted to residents of Colorado and either:
- Processes or controls the personal data of at least 100,000 consumers in a calendar year; or
- Processes or controls the personal data of 25,000 consumers or more and derives revenue or receives discounts on the price of goods or services from the sale of personal data.
There are notable exemptions from the scope of the CPA including employee and job applicant data and de-identified data, among other things. Personal data covered by sector-specific laws such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act (HIPAA) is also exempt from the CPA’s requirements.
Other key compliance areas of the CPA to consider include the new definition for sensitive data which includes racial and ethnic origin, religious beliefs, and genetic and biometric data. The CPA also includes provisions for several new consumer rights including the right to access, the right to delete, and the right to data portability, among others. Additionally, consumers have the right to opt out of the processing of personal data for profiling, and targeted advertising and to opt-out of the sale of personal data.
Under the CPA, data controllers are required to carry out risk assessments for activities including the processing of personal data for the purposes of targeted advertising, profiling, if said profiling presents a heightened risk of harm, and the sale of personal data. The risk assessment should weigh the risks and benefits of the processing activity and should include several factors, such as the context of the processing, the reasonable expectations of consumers, and the use of de-identified data.
In relation to enforcement, the Colorado Attorney General and District Attorney are responsible for upholding the requirements of the CPA and can issue Maximum civil penalties of up to $2,000 per violation of the CPA with a total maximum penalty of $500,000. The CPA gives organizations a 60-day cure period to remedy violations of its provisions. There is no private right of action for consumers.
Webinar: Colorado Joins US Privacy Landscape With New Law
In this webinar, OneTrust DataGuidance and an expert panel discuss the details of the new privacy law in Colorado, the implications for organizations and their obligations under the law, and key compliance considerations.
Key takeaways include:
- The nature of the CPA and how it impacts organizations
- How the CPA compares to other US Privacy Laws, like the CCPA and CDPA
- How this law impacts organizations and the steps they should take to ensure compliance
Further Resources on the Colorado Privacy Act:
- OneTrust DataGuidance News: Colorado: Personal data privacy bill signed into law by Governor
- OneTrust DataGuidance Portal: Colorado Privacy Act
- OneTrust Blog: Colorado Privacy Act (CPA) Signed Into Law