December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

New Colorado Privacy Act

Like Virginia and Washington before it, on March 19, 2021, Colorado introduced a data privacy bill, the Colorado Privacy Act (CPA). As currently drafted, the CPA would be similar to other U.S. state privacy laws, including California’s CCPA, Virginia’s Consumer Data Protection Act and Washington’s Privacy Act, although it also bears a close resemblance to the GDPR. If passed, the CPA would go into effect on January 1, 2023.

Who would be subject to the CPA?

The CPA applies to organizations that conduct business in Colorado or intentionally target their products / services to Colorado residents (individuals or households (“Consumers”)) that either: (1) control or process personal data of more than 100,000 Consumers per calendar year; or (2) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 Consumers. As with California’s CCPA, the CPA does not apply to employment records and other personal data governed by certain state and federal laws.

What are the main obligations?

The CPA grants certain rights to Consumers with certain rights, namely the right to:

  • Opt-out of the processing of personal data;

  • Authorize another person to act on their behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the Consumer’s data;

  • Confirm whether personal data is being processed and access that data in a portable and readily usable format;

  • Correct inaccurate personal data;

  • Delete personal data; and

  • Obtain consent before collection of certain sensitive personal data (personal data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status)

Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.

Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.

What are the main sanctions for noncompliance?

 The Colorado Attorney General’s office and state district attorneys would enforce the CPA. The bill provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. There is no private right of action. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 99
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Shareholder

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

303.583.8228
Ephraim T. Hintz Technology Transactions Attorney Polsinelli Denver, CO
Associate

Ephraim Hintz is an associate attorney in the Technology Transactions and Data Privacy practice group. Ephraim’s practice is made up of three (3) subset areas: incident response, technology transactions, and data privacy compliance. Ephraim routinely advises his clients on how to effectively investigate and respond to data security incidents. Ephraim is a skilled drafter and assists his clients with negotiating and drafting SaaS licensing agreements, cloud computing agreements, maintenance and online service terms, and data processing addendums. Ephraim’s knowledge and experience with...

303-256-2704
Thomas P. Weber Technology Transactions Attorney Polsinelli Denver, CO
Associate

Thomas Weber is an associate in the Technology Transactions and Data Privacy practice. He helps clients with data compliancy matters, including compliance with the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), and Gramm-Leach-Biley Act (GLBA). Thomas also advises clients in breach response matters. Prior to joining the firm, he was a law clerk to the Honorable Judge Rebecca R. Freyre.

303-256-1977
Advertisement
Advertisement
Advertisement