Colorado Enacts New Consumer Privacy Law

Published: Jun. 10, 2021

Updated: Jun. 13, 2023

Colorado has joined the growing number of U.S. states enacting consumer privacy legislation. On July 7, 2021, Colorado’s governor signed the Colorado Privacy Act (SB21-190) (CO CPA) into law. The new law will take effect on July 1, 2023 – just six months after the California Privacy Rights Act (CA CPRA) amendments to the existing California Consumer Privacy Act (CA CCPA) and Virginia’s Consumer Data Protection Act (VA CDPA) come into effect.

1 – Framework & Scope

The CO CPA establishes a familiar set of rights and obligations, both under these existing U.S. privacy laws and the EU GDPR. It grants consumers access, correction, deletion, data portability, and opt-out rights, and imposes on “data controllers” the duties of transparency, care, purpose specification, avoidance of unlawful discrimination and secondary data use, and data minimization. It also contains certain duties regarding the use of “sensitive” data.

The CO CPA would apply to entities that do business in Colorado or produce products or services intentionally targeted to Colorado residents, and either (1) control or process personal data (PD) of more than 100,000 Colorado residents per year or (2) derive revenue or discounts from selling PD and control or process PD of at least 25,000 Colorado residents.

2 – Notable Provisions

While the CO CPA has many similarities to the CA CCPA, CA CPRA, and VA CDPA, one key difference is that nonprofit organizations are not exempt. The CO CPA applies to nonprofits if they meet the relevant criteria. And importantly, the CO CPA does not contain a private right of action.

Other notable provisions resemble the CA CCPA (as amended by the CA CPRA). For example:

  • “Sale” is defined as providing a third party with PD in exchange for “monetary or other valuable consideration,” as in the CA CCPA. However, the CO CPA contains the exceptions to “sale” found in the VA CDPA, which are broader than those of the CA CCPA.
  • “Dark pattern” is defined, as in the CA CPRA, to mean “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” Consent obtained through dark patterns is not valid. 

Like the VA CDPA, the CO CPA allows consumers to opt out of certain data processing, requires data controllers to obtain consent to process sensitive data, requires controllers to perform data protection assessments in some cases, and does not include a private right of action, as follows:

  • Opt-out rights include the right to opt out of the processing of PD for the purposes of targeted advertising, the sale of PD, or profiling in furtherance of decisions that produce significant effects (e.g., legal effects) concerning a consumer. The CO CPA also expressly directs the Colorado Attorney General to establish technical requirements for a universal opt-out mechanism.
  • Sensitive data (defined to include standard data elements such as race, ethnic origin, religious beliefs, mental or physical health information, sex life, citizenship, genetic or biometric data that can uniquely identify an individual, and data about children under 13) may only be processed with a consumer’s consent. This opt-in method contrasts the CA CCPA’s opt-out approach, whereby businesses may collect sensitive data with adequate disclosures but must respect consumer requests to limit the use and disclosure of this data.
  • Data protection assessments are required if processing presents a heightened risk of harm to consumers – e.g., if a controller processes sensitive data, sells PD, or processes PD for the purpose of targeted advertising or profiling. The Colorado Attorney General has authority to review data protection assessments and impose penalties for noncompliance.
  • No private right of action is created under the CO CPA. Instead, the Colorado Attorney General and district attorneys must bring enforcement actions. From July 1, 2023 to January 1, 2025, controllers will have a 60-day cure period if the Attorney General or district attorney deem a cure possible. After January 1, 2025, there will be no cure period.

Similar to the EU GDPR, the CO CPA also imposes certain obligations on “data processors” to only process data on the instructions of the controller, assist the controller in data protection impact assessments and security obligations, and provide the controller with audit rights, deletion rights, and the ability to object to subprocessors.

In blending components of the CA CCPA (and its CA CPRA amendments), the VA CDPA, and the EU GDPR, the CO CPA establishes a comprehensive privacy regime that requires in-scope companies to fully analyze their data collection, use, sharing, and data security practices. U.S. companies that are not currently subject to the GDPR will need to consider how to scale their existing privacy compliance programs accordingly. And all companies will need to consider the nuances of each of these new laws to determine any unique requirements that may be applicable in some, but not all, jurisdictions.