Colorado Becomes Third State to Enact Comprehensive Data Privacy Law
The Situation: Since the California Consumer Privacy Act ("CCPA") was passed in 2018, multiple states have proposed comprehensive consumer protection laws.
The Result: On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act ("Act") into law, making Colorado the third state to enact a comprehensive data privacy law.
Looking Ahead: The Act takes effect on July 1, 2023. Businesses should begin carefully reviewing the Act's compliance requirements and their own privacy compliance programs now, given the time needed to come into compliance with the Act.
Colorado has joined California and Virginia as the third state with a comprehensive data privacy law. On July 7, 2021, Colorado Governor Polis signed the Act into law, following the Colorado Senate's passage of the Act as amended by the Colorado House of Representatives. The Act takes effect July 1, 2023.
The Act comes on the heels of the March 2021 passage of the Virginia Consumer Data Protection Act ("VCDPA") and appears to borrow many data protection principles from both the VCDPA and the European Union's General Data Protection Regulation ("GDPR").The Act will be subject to future rulemaking by the Colorado Attorney General.
Scope of the Act
Unlike the CCPA, the application of the Colorado Act does not depend upon a threshold revenue requirement. Rather, the Act applies only to persons or entities that conduct business in Colorado, or produce or deliver commercial products or services intentionally targeted to residents of Colorado; and that either: (i) control or process the personal data of 100,000 or more Colorado residents annually or (ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents.
As with the VCDPA and GDPR, the Colorado Act broadly defines "personal data" as "information that is linked or reasonably linkable to an identified or identifiable individual[.]" Likewise, the Act borrows from those laws to create obligations for data "controllers" (i.e., those determining the processing of personal data) and "processors" (i.e., those processing personal data on a controller's behalf).
Duties of Data Controllers and Processors
The Colorado Act imposes multiple obligations on data controllers, including duties to:
- Disclose processing activities in a reasonably accessible, clear privacy notice;
- Specify the express purposes for which personal data are collected and processed;
- Obtain affirmative consent before collecting and otherwise processing "sensitive data" concerning a consumer;
- Implement technical and organizational measures that provide a level of security appropriate to risk; and,
- Conduct data protection assessments for certain processing activities created or generated after July 1, 2023, including for targeted advertising, the sale of personal data, processing of sensitive data, and others that present a heightened risk of harm to consumers.
In addition, data controllers are required to comply with requests from consumers who exercise the right to: opt out of processing of personal data for purposes of targeted advertising, sale of personal data, or profiling for use in making significant decisions concerning the consumer; confirm whether personal data is being processed and obtain a copy of that personal data in a portable, technically feasible, and readily usable format; correct inaccuracies; and delete personal data. The Colorado Act requires data controllers to act on any such request within 45 days.
Enforcement and Rulemaking Authority
Like the VCDPA, the Act does not create a private right of action. Instead, the Colorado Attorney General and district attorneys have exclusive enforcement authority. A company in violation of the Act may be subject to civil penalties of up to $20,000 per violation. Notably, before imposing sanctions, the Colorado Attorney General or district attorney is required to issue a notice of violation to the suspected data controller and provide it with a 60-day period to cure any alleged violations. This right to cure provision will sunset on January 1, 2025.
The Colorado Attorney General has authority to promulgate rules for the purpose of carrying out the Act. Specifically, the Act mandates that the Colorado Attorney General detail technical specifications for universal opt-out mechanisms by July 1, 2023. The Act also grants discretion to create rules—by January 1, 2025—to govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses seeking to comply with the Act. Importantly, that framework will include a good-faith reliance defense.
Businesses should note that the Act has requirements that are different from the Virginia and California laws. Although the law will not become effective until July 1, 2023, putting in place measures to comply with it may require significant planning and time. Accordingly, businesses should review the new Colorado compliance requirements to determine if they apply and, if so, should start developing a compliance plan.
Three Key Takeaways
- Although the Colorado Act does not come into effect until July 1, 2023, businesses should begin a close review of both the Act's compliance requirements and their own privacy compliance programs.
- While the Act borrows some provisions from the CCPA and VCDPA, it diverges from those laws in notable ways, including its threshold for applicability and lack of a private right of action (which differs from the CCPA) as well as its grant of enforcement authority to both the Colorado Attorney General and district attorneys (which differs from both the CCPA and VCDPA).
- Even after the Act has come into effect, businesses should continue to make note of any rules the Colorado Attorney General issues that may impact compliance requirements.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.