iColorado is the third state, after California and Virginia, to get a comprehensive data privacy statute through its legislature. While the Colorado Privacy Act (CPA) awaits signature by Gov. Polis, businesses are assessing to what extent the CPA will impact their privacy programs.
The following provides a high-level cross-reference to help companies compare and contrast the Virginia Consumer Data Protection Act (VCDPA), which was enacted in February 2021, with the CPA:
|
|
VCDPA |
Colorado Privacy Act |
|
|
Ability to Process Data |
Permissible Purpose |
✓ (Consent for sensitive data) |
✓ (Must obtain consent to process sensitive data) |
|
Data Minimization |
✓ (Only extends to collection) |
✓ (May only collect minimum data necessary) |
|
|
Individual Rights |
Right to be Informed (aka Notice to Data Subjects) |
✓ |
✓ |
|
Right to Access |
✓ |
✓ |
|
|
Right to Correction (aka Right to Rectification) |
✓ |
✓ |
|
|
Right to Deletion (aka Right to Be Forgotten) |
✓ |
✓ |
|
|
Right to Opt-Out of Behavioral Advertising |
✓ |
✓ |
|
|
Right to Opt-Out of Sale |
✓ |
✓ |
|
|
Right to Object to Use of Sensitive Information |
(While consent is required for special category processing, no express right to withdraw consent). |
|
|
|
Right to Nondiscrimination |
✓ |
✓ |
|
|
Financial Incentive Disclosure |
|
|
|
|
Accountability & Governance |
Documentation and Recordkeeping |
|
|
|
Privacy Risk Assessment |
✓ |
✓ |
|
|
Security |
Appropriate Data Security to Safeguard Information |
✓ |
✓ |
|
Breach Notification |
✓ (Via related statutes) |
✓ (Via related statutes) |
|
|
Transfers to Third Parties |
Contractual Requirements in Service Provider Agreements |
✓ |
✓ |
