The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Colorado Governor Jared Polis signed the bill (SB 21-190) into law on July 7, and ColoPA will go into effect on July 1, 2023.
How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..
- Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, which permits an authorized agent to submit any consumer requests, under ColoPA, authorized agents can only submit sale opt-out requests.
- Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
- Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
- Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
- Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
- Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. By this date, the Attorney General may have established rules to issue opinion letters and guidance that businesses can rely on in good faith to defend an action that would otherwise violate the law. Such rules must go into effect by July 1, 2025.
- Consent for secondary use. ColoPA also establishes a “duty to avoid secondary use.” This duty requires consent to process personal data for purposes “not reasonably necessary or compatible with” the original purposes for collection. This requirement suggests that businesses need to keep detailed records of the personal data that they are collecting, the purposes for initially collecting such personal data, confirm such purposes are consistent with disclosures made to consumers, and track the scope of consent in connection with such data uses.
|Thresholds to Applicability||Conduct business in CO or produce products or services targeted to CO and (a) control or process personal data of at least 100,000 consumers; or (b) derive revenue or receive a discount on the price of goods or service from selling personal data or controls personal data of at least 25,000 consumers||Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers||Conduct business in CA and collect personal information of CA residents and: (a) has $25 million or more in annual revenue for preceding calendar year as of Jan. 1 of calendar year; (b) annually buys, sells, or shares personal data of more than 100,000 consumers or households; or (c) earns more than 50% of its annual revenue from selling or sharing consumer personal information|
|Consent||Requires opt-in consent for processing sensitive personal data, including children’s data, and certain secondary processing||Requires opt-in consent for processing sensitive personal data, and COPPA-compliant consent for processing children’s data||Requires opt-in consent for sharing PI for cross-context behavioral advertising for children under 16, including parental consent for children under 13|
|Opt-Out||Required for targeted advertising, sales, and profiling for legal or similarly significant effects||Required for targeted advertising, sales, and profiling for legal or similarly significant effects||Required for profiling, cross-contextual advertising, and sale; right to limit use and disclosure of sensitive personal information|
|Other Consumer Rights||Access, Deletion, Correction, Portability||Access, Deletion, Correction, Portability||Access, Deletion, Correction, Portability|
|Authorized Agents||Permitted for opt-out requests||N/A||Permitted for all requests|
|Appeals||Must create process for consumers to appeal refusal to act on consumer rights||Must create process for consumers to appeal refusal to act on consumer rights||N/A|
|Private Cause of Action||No||No||Yes, related to security breaches|
|Cure Period?||60 days until provision expires on Jan. 1, 2025||30 days||No|
|Data Protection Assessments||Required for targeted advertising, sale, sensitive data, certain profiling||Required for targeted advertising, sale, sensitive data, certain profiling||Annual cybersecurity audit and risk assessment requirements to be determined through regulations|
Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.