On July 7, 2021, Colorado enacted the Colorado Privacy Act (“CPA”). The CPA is yet another state privacy law similar to the California Consumer Privacy Act (“CCPA”) and the Virginia Consumer Data Protection Act. The CPA applies to anyone that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and: 1) controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or 2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Like the CCPA, the CPA establishes certain data privacy rights for consumers. These include (1) the right to opt out of the processing of personal data; (2) the right to access and delete personal information; and (3) the right to be informed of data collection. The CPA affords additional rights, including the right to correct personal data and the right to opt out of behavioral advertising. (These rights will be added to the CCPA when the California Privacy Rights Act amendments take effect on January 1, 2023.)
Unlike the CCPA, the CPA does not contemplate a private right of action. (The CCPA contains a limited private right of action where California resident “nonencrypted and nonredacted personal information” is subject to theft or disclosure because of a failure to maintain reasonable security measures.) CPA enforcement is limited to the Colorado Attorney General’s Office and county district attorney offices.
Businesses will have until July 1, 2023, to comply with the CPA regulations.
If you have questions about state privacy laws or your business’ compliance policies, contact feel free to contact Joseph Messer at jmesser@messerstrickler.com or (312) 334-3440 for a free initial consultation.