On 15 March 2023, the finalized Colorado Privacy Act rules were filed with the Colorado Secretary of State's Office and will enter into effect on 1 July 2023. The Colorado Privacy Act ("CPA") will soon join the California Consumer Privacy Act ("California Privacy Law (CCPA)") and the Virginia Consumer Data Protection Act ("Virginia Privacy Law (VCDPA)") as comprehensive state data privacy legislation, extending consumer rights and protections as well as business compliance obligations regarding data privacy.
The CPA came into effect on 1 July 2023 and applies to entities (including non-profits) that conduct business or target more than 100,000 consumers annually in Colorado, or profit from the sale of personal information of 25,000 or more Colorado residents. It is worth noting that the upper limit of civil penalties under the CPA are considerably higher than the existing civil penalty frameworks in California and Virginia, with fines up to $20,000 per violation for non-compliance with the CPA Rules.
Colorado Privacy Act – Key Rule Provisions
The detailed CPA Rules could create substantial compliance obligations for businesses in scope of this legislation. It is therefore highly recommended that these entities move swiftly to ensure compliance with the CPA.
A brief summary of some of the requirements under the CPA are listed below:
Processing Activity Requiring Consent. The CPA specifies that controllers must obtain affirmative consent prior to processing a wide range of consumer personal data and activity.
Requirements for Valid Consent. The CPA identifies specific elements that are necessary for establishing valid consent. Under this legislation, specific rules have also been made around processing Under Prior Consent as well as Re-seeking and Refreshing Consent.
Data Protection (Impact) Assessments. Among other obligations, the CPA outlines 13 components of a data protection assessment that generally address the nature, scope, purpose, associated risks as well as governance relating to the processing of personal data.
Data Minimization. Among other obligations, the CPA requires that the controllers annually review whether the storage of personal data is adequate, necessary or relevant for the stated purpose of processing.
Exercising Consumer Rights. Among other obligations, should the consumer submit more than one consumer data privacy right, completing the opt-out must take priority before any other consumer data privacy rights request.
Right of Access. The CPA requires that when responding to consumers' request to access, the controller must provide all the pieces of personal data it has collected and holds about the consumer.
Profiling. The CPA establishes a clear framework for considering automated decision-making (i.e., profiling) involving personal data.
Currently, several other U.S States, such as Indiana, Iowa and Utah have also already enacted their respective Data Privacy Legislation, which will become effective over the course of the next few years.
Given the ongoing changes to the Data Privacy Legislation in the United States, Bridewell highly recommends that the businesses and organizations that may be affected by these changes closely monitor this ever-evolving landscape.
Frequently Asked Questions
Who Does the Colorado Data Privacy Act Apply to?
The Colorado Data Privacy Act applies to any entities that conduct business or target more than 100,000 consumers annually in Colorado, or profit from the sale of personal information of 25,000 or more Colorado residents.
Who is Exempt from the Colorado Data Privacy Act
The Colorado Data Privacy Act doesn’t apply to financial organizations, which are already subject to the Gramm-Leach-Bliley Act, or to certain types of healthcare-related data and data governed by FERPA. If your business is subject to federal privacy laws already, you should look into the law’s exemptions to see if there are any relevant to you. However, in contrast to data privacy laws in California and Virginia, non-profits are not exempt from the Colorado Data Privacy Act. 
Does the Colorado Privacy Act Apply to Employee Data?
The Colorado act does not apply to employee or business-to-business (B2B) data.
How is the Colorado Privacy Act enforced?
The Attorney General's Office and District Attorneys have sole enforcement power under the CPA. The Attorney General's Office also has rulemaking authority under the law.