Like Virginia and Washington before it, on March 19, 2021, Colorado introduced a data privacy bill, the Colorado Privacy Act (CPA). As currently drafted, the CPA would be similar to other U.S. state privacy laws, including California’s CCPA, Virginia’s Consumer Data Protection Act and Washington’s Privacy Act, although it also bears a close resemblance to the GDPR. If passed, the CPA would go into effect on January 1, 2023.
1. Who would be subject to the CPA?
The CPA applies to organizations that conduct business in Colorado or intentionally target their products / services to Colorado residents (individuals or households (“Consumers”)) that either: (1) control or process personal data of more than 100,000 Consumers per calendar year; or (2) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 Consumers. As with California’s CCPA, the CPA does not apply to employment records and other personal data governed by certain state and federal laws.
2. What are the main obligations?
The CPA grants certain rights to Consumers with certain rights, namely the right to:
- Opt-out of the processing of personal data;
- Authorize another person to act on their behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the Consumer’s data;
- Confirm whether personal data is being processed and access that data in a portable and readily usable format;
- Correct inaccurate personal data;
- Delete personal data; and
- Obtain consent before collection of certain sensitive personal data (personal data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status)
Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.
Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.
3. What are the main sanctions for noncompliance?
The Colorado Attorney General’s office and state district attorneys would enforce the CPA. The bill provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. There is no private right of action.