Colorado became the third state to pass a comprehensive data privacy law when Gov. Jared Polis signed the Colorado Privacy Act (CPA) on Wednesday.
The CPA contains privacy protections much closer to those in Virginia’s law—the Consumer Data Protection Act (CDPA)—passed earlier this year than to the California Consumer Privacy Act (CCPA), which took effect last year. California voters in November passed an enhanced version of the CCPA called the California Privacy Rights Act (CPRA); the CPRA and CDPA both take effect in January 2023.
Colorado’s privacy law will take effect July 1, 2023.
“It’s not the twin of Virginia’s law, but it’s definitely a sibling or cousin,” said Sarah Rippy, Westin research fellow with the International Association of Privacy Professionals, which tracks privacy bills at the state level. “There’s nothing really groundbreaking in the Colorado bill as far as the privacy rights for consumers.”
The CPA (SB21-190) provides state residents with privacy rights including the ability to opt out from having companies process their personal data; the right to access, correct, or delete their personal data; and other provisions. The law requires affected companies to show why they are collecting the data, how they use it, and to minimize the use of personal data. The law prohibits discrimination against consumers who assert their privacy rights.
The CPA does not set a fine amount per violation. Infringement of the law would be classified as a deceptive trade practice under the Colorado Consumer Protection Act, which was amended in 2019 and now levies a $20,000 fine per violation, with no cap on the total fine amount.
By comparison, the CCPA includes $7,500 fines per intentional violation and $2,500 per unintentional violation. The CDPA will issue fines of $7,500 per violation.
In a statement that accompanied the ceremony in which he signed the bill into law, Polis said the protections included “will keep consumers safe from harmful practices and hopefully will become a template for a nationwide standard passed by Congress in the future.” But he also sounded a note of caution, saying the law will need some tweaking to prevent it from stifling the state’s “competitiveness with other states as an incubator for new technologies and innovations.”
He said state legislators are already having conversations about amending the bill and urged legislators to strike an appropriate balance between advancing consumer protection while also protecting Colorado’s “position as a top state to do business.”
Absent a federal privacy law, each state’s legislation is significant, according to Colorado Attorney General Phil Weiser.
The CPA applies to companies that control or process the personal data of more than 100,000 consumers per year or derive revenue from the sale of personal data of at least 25,000 consumers. Unlike Virginia’s privacy law, the CPA contains no revenue threshold, meaning the law will apply to smaller companies. The bill defines “controllers” as entities that determine the process and means for collecting personal data, while “processors” are entities that process that data.
“This law is setting out the same types of rights that we are seeing in other recently enacted state privacy laws. For example, if companies are taking reasonable steps to comply with Virginia’s recently enacted law, Colorado should fit in pretty well,” said Vivek Mohan, partner in Mayer Brown’s Cybersecurity & Data Privacy practice.
Mohan added Colorado is small enough (5.8 million residents in the 2020 census) that companies might consider carving out privacy rights prescribed in the law for Colorado residents without bestowing them on all their customers.
Colorado Attorney General Phil Weiser
Such a move would have a precedent, of sorts. National companies have chosen to treat Colorado job seekers differently because of a 2019 law, the Equal Pay for Equal Work Act. Meant to close gender gaps in pay, the law requires employers to post a salary range for open positions.
In response, nearly 100 national firms have posted job openings that exclude Colorado residents from being eligible to work as remote employees, according to a June 21 story on reason.com, a libertarian magazine. Companies like Airbnb, Ally Financial, Johnson & Johnson, and Century 21 have posted job openings that exclude Colorado residents from working remotely, according to the Website coloradoexcluded.com.
In addition to the Colorado attorney general’s office, the CPA will also be enforced by the state’s 22 district attorneys—a first for any comprehensive state privacy law, experts said. The law contains no private right of action, meaning consumers cannot sue companies if they believe their privacy rights have been violated. Private right of action has been a stumbling block in the approval of similar bills in Florida and Washington state.
The CPA requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that presents a “heightened risk of harm to consumers,” which is described “as processing for purposes of targeted advertising, profiling, or selling personal data, or processing sensitive data.” This assessment would be requested by the Colorado attorney general.
The law contains a 60-day cure period, which means companies would have 60 days to address noncompliance before the attorney general’s office would launch an enforcement action.
The CPA might be the last state privacy law passed in this legislative session.
Rippy said that while the IAPP is tracking seven active privacy bills in five states, they do not have much momentum. A bill proposed in Texas died last month.
“None of these bills have moved in months. I’d be very surprised if another state passed a privacy bill this session,” she said.