Published on July 20, 2021

Not to be outdone by California and Virginia, legislators in Colorado recently passed a data privacy law, making Colorado the third state with comprehensive data privacy legislation. Bill SB 21-190 unanimously passed the Colorado state Senate on May 26. Then, with a vote of 57-7, the state legislature passed it on June 8, and it was signed into law by Governor Jared Polis early this month.

Although the Colorado Privacy Act (CPA) closely mirrors Virginia’s Consumer Data Protection Act (CDPA) and California’s CPRA, it is not a direct copy of these laws.
CA, CO, VA¹ — CPRA’s right of restriction/limitation is only applicable to sensitive personal data; * — Continued to 2021 Special Session; ~ — Right to opt out of certain automated decision-making activities

Consumer benefits of the Colorado Privacy Act

Much like the CPRA, the CPA allows consumers to opt out of the processing of certain personal data. Consumers have rights of data access, correction, deletion, and portability. This means that consumers can access their data up to twice per calendar year. They can delete their data, correct any inaccurate information, and move their personal data from one location to another, if they choose to do so. That said, there are a few exemptions to these rules.

Businesses’ obligations under the CPA

The CPA pertains to any company that conducts business in Colorado and meets one of the following two criteria: (1) The company controls or processes personal data of at least 100,000 consumers; or (2) the company receives revenue from the sale of personal data of at least 25,000 consumers.

These companies, or “controllers” as they’re called, must conduct data protection assessments for certain types of data processing. These assessments are mandatory for any processing that presents a heightened risk of harm, including the processing of sensitive data; processing data for targeted advertising, and processing data to sell to a third party. As a caveat, companies can always process their consumers’ sensitive data if the consumers choose to opt-in.

Under the CPA, controllers also have the following obligations:
• A duty of transparency, whereby controllers must provide privacy policy disclosures to their consumers.
• A duty of purpose specification, which mandates that controllers explicitly state their purposes for collecting and processing customer data.
• A duty of data minimization, which requires that controllers only collect the customer data that is reasonably necessary.
• A duty to avoid secondary use, which essentially means that the controllers cannot process the customers’ data for any reason(s) other than the controllers’ specified purposes—unless, of course, consent is obtained.
• A duty of care, whereby controllers must implement reasonable measures to secure their customers’ data.

Exemptions, exclusions, and enforcement

It’s important to note that there are a few exceptions to the aforementioned business obligations. Publicly available information, employee data, and de-identified data are all exempt from the CPA. Also, any data governed by federal laws, such as the Health Insurance Portability and Accountability Act (HIPPA), the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), and the Securities Exchange Act of 1934 are not subject to CPA, as these federal privacy laws take precedence.

Colleges, non-profits, and state and local governments are also exempt from CPA. Additionally, certain processing activities are excluded from the CPA, including detecting fraud or illegal activity, and conducting internal research to develop products.

Perhaps the most egregious omission in the CPA lies in its enforcement. Unlike the CPAA, there is no private right of action clause in the CPA, making it difficult for individuals to sue companies. Consumers must rely on the Colorado Attorney General or the District Attorney’s office to handle enforcement.

Lastly, from January 1, 2023, (when the CPA goes into effect) to January 1, 2025, companies will have a 60-day window to address and remedy any infractions before the Colorado AG or DAs are able to hit them with a violation. On January 1, 2025, this 60-day “cure period” will be automatically repealed.

Important takeaways

Although the Colorado law will not be enforced until January 1, 2023, companies should adhere to its statutes as soon as possible. Until the U.S. gets a federal data privacy law, these state-level data privacy laws will continue to come down the pike.

The growing patchwork of US data privacy laws will only get more confusing for businesses that ignore them, or choose to operate differently in various states. The most prudent thing to do is to voluntarily comply with the most rigorous data privacy regulation in the US and then practice that compliance in all 50 states as soon as possible. By doing so, businesses can be sure to avoid expensive fines, interruptions to their business operations, and general aggravation in early 2023.

— Chart via and featured image via Andrew Coop, Unsplash

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan