September 17, 2021

Volume XI, Number 260


September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

The Colorado Privacy Act: How Does it Stack Up Against the VCDPA?

Colorado is the third state, after California and Virginia, to get a comprehensive data privacy statute through its legislature. While the Colorado Privacy Act (CPA) awaits signature by Gov. Polis, businesses are assessing to what extent the CPA will impact their privacy programs.

The following provides a high-level cross-reference to help companies compare and contrast the Virginia Consumer Data Protection Act (VCDPA), which was enacted in February 2021, with the CPA:



Colorado Privacy Act

Ability to Process Data

Permissible Purpose

(Consent for sensitive data)

(Must obtain consent to process sensitive data)

Data Minimization

(Only extends to collection)

(May only collect minimum data necessary)

Individual Rights

Right to be Informed (aka Notice to Data Subjects)

Right to Access

Right to Correction (aka Right to Rectification)

Right to Deletion (aka Right to Be Forgotten)

Right to Opt-Out of Behavioral Advertising

Right to Opt-Out of Sale

Right to Object to Use of Sensitive Information


(While consent is required for special category processing, no express right to withdraw consent).


Right to Nondiscrimination

Financial Incentive Disclosure



Accountability & Governance

Documentation and Recordkeeping



Privacy Risk Assessment


Appropriate Data Security to Safeguard Information

Breach Notification

(Via related statutes)

(Via related statutes)

Transfers to Third Parties

Contractual Requirements in Service Provider Agreements

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 176

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...