December 7, 2022

Volume XII, Number 341


December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

December 05, 2022

Subscribe to Latest Legal News and Analysis

Colorado Passes Comprehensive Privacy Law – 4 Quick Takeaways

Colorado’s governor, Jared Polis, signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021.  

Colorado joins California and Virginia as the third state with comprehensive privacy law in the United States. 

CPA adds nuance and complexity to the growing patchwork of US data protection requirements. We will follow up with more discussion on how this impacts your business in the lead-up to the law’s effective date (July 1, 2023).   Here are a few key highlights:

Who Is Protected?

CPA regulates Colorado residents in their individual or household capacity.  It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).  

Who Is Regulated?

CPA regulates “controllers” that conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents (“consumers”) and meet one of two thresholds: (1) controls or processes personal data of at least 100,000 consumers or (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers. 

CPA does not apply to state agencies or political subdivisions of Colorado, entities or data subject to GLBA, higher education institutions and data collected by covered entities or business associates governed by HIPAA. 

What Changes Are Needed in Contracts?

The CPA requires controllers to include a list of provisions in their contracts with processors, including, but not limited to, requiring the processor to allow for audit and inspections and that its’ employees involved in the processing of data are subject to a duty of confidentiality.

How Will CPA Be Enforced?

CPA does not include a private right of action.  CPA may be enforced by the Colorado Attorney General’s Office and District Attorneys.  The AG and DAs will have the authority to ask a court to enjoin businesses whose actions in violation of the CPA.  For the first two years of the law, entities will have a 60-day notice and cure period to remedy any violations of the law before the AG or DAs can initiate an enforcement action. This cure period will be automatically repealed on January 1, 2025.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XI, Number 190

About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude