July 30, 2021

Volume XI, Number 211

Advertisement

July 29, 2021

Subscribe to Latest Legal News and Analysis

July 28, 2021

Subscribe to Latest Legal News and Analysis

July 27, 2021

Subscribe to Latest Legal News and Analysis

The Colorado Privacy Act: How Does it Stack Up Against Other Privacy Laws?

The Colorado Privacy Act: How Does it Stack Up Against the GDPR?

Colorado is the third state, after California and Virginia, to get a comprehensive data privacy statute through its legislature. While the Colorado Privacy Act (CPA) awaits signature by Governor Polis, businesses are assessing to what extent the CPA will impact their privacy programs.

The following provides a high-level cross-reference to help companies that are currently compliant with the European GDPR understand how the CPA compares and contrasts with that regulation:

Issue

 Compliance Obligation

GDPR

Colorado Privacy Act

Ability to Process Data

Permissible Purpose

(Must obtain consent to process sensitive data)

Data Minimization

(May only collect minimum data necessary)

Individual Rights

Right to be Informed (aka Notice to Data Subjects)

Right to Access

Right to Correction (aka Right to Rectification)

Right to Deletion (aka Right to Be Forgotten)

Right to Opt-Out of Behavioral Advertising

(as part of larger right to object to legitimate interest or withdraw consent)

Right to Opt-Out of Sale

(as part of larger right to object to legitimate interest or withdraw consent)

Right to Object to Use of Sensitive Information

 

(While consent is required for special category processing, no express right to withdraw consent).

 

Right to Nondiscrimination

(as part of larger right to withdraw consent)

Financial Incentive Disclosure

 

 

Accountability & Governance

Documentation and Recordkeeping

 

Privacy Risk Assessment

Security

Appropriate Data Security to Safeguard Information

Breach Notification

(Via related statute)

Transfers to Third Parties

Contractual Requirements in Service Provider Agreements

The Colorado Privacy Act: How Does it Stack Up Against the CCPA?

The following provides a high-level cross-reference to help companies compare and contrast the California Consumer Privacy Act (“CCPA”) with the CPA:

 

 

CCPA

Colorado Privacy Act

Ability to Process Data

Permissible Purpose

 

(Must obtain consent to process sensitive data)

Data Minimization

 

(May only collect minimum data necessary)

Individual Rights

Right to be Informed (aka Notice to Data Subjects)

Right to Access

Right to Correction (aka Right to Rectification)

 

Right to Deletion (aka Right to Be Forgotten)

Right to Opt-Out of Behavioral Advertising

 

Right to Opt-Out of Sale

Right to Object to Use of Sensitive Information

 

(While consent is required for special category processing, no express right to withdraw consent).

 

Right to Nondiscrimination

Financial Incentive Disclosure

 

Accountability & Governance

Documentation and Recordkeeping

 

 

Privacy Risk Assessment

 

Security

Appropriate Data Security to Safeguard Information

Breach Notification

(Via related statutes)

(Via related statute)

Transfers to Third Parties

Contractual Requirements in Service Provider Agreements

 

 

The Colorado Privacy Act: How Does it Stack Up Against the CPRA?

The following provides a high-level cross-reference to help companies compare and contrast the California Privacy Rights Act of 2020 (CPRA), which is set to go into effect in 2023, with the CPA:

 

 

CPRA

Colorado Privacy Act

Ability to Process Data

Permissible Purpose

 

(Must obtain consent to process sensitive data)

Data Minimization

(May only collect minimum data necessary)

Individual Rights

Right to be Informed (aka Notice to Data Subjects)

Right to Access

Right to Correction (aka Right to Rectification)

Right to Deletion (aka Right to Be Forgotten)

Right to Opt-Out of Behavioral Advertising

Right to Opt-Out of Sale

Right to Object to Use of Sensitive Information

 

(While consent is required for special category processing, no express right to withdraw consent).

 

Right to Nondiscrimination

Financial Incentive Disclosure

 

Accountability & Governance

Documentation and Recordkeeping

 

Privacy Risk Assessment

Security

Appropriate Data Security to Safeguard Information

Breach Notification

(Via related statute)

(Via related statute)

Transfers to Third Parties

Contractual Requirements in Service Provider Agreements

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 169
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement