March 27, 2023

Volume XIII, Number 86


March 24, 2023

Subscribe to Latest Legal News and Analysis

Preparing for New Consumer Privacy Laws in Colorado, Connecticut and Utah

We would not blame companies for feeling fatigued after the race to comply with the amended California Consumer Privacy Act (CCPA), the soon-to-be finalized CCPA regulations and the new Virginia Consumer Data Protection Act (CDPA) requirements. For some companies, however, these events were simply mile markers in the race to comply with Connecticut and Colorado’s new laws coming into effect on July 1, 2023, and Utah’s new law on December 31, 2023. For others, one of these upcoming state laws will be the first time that your company will need to build a US consumer privacy program. Either way, the Global Privacy and Cybersecurity team at McDermott Will & Emery is here to assist.



Closely resembling Virginia’s CDPA, the application of the Colorado Privacy Act (CPA), Connecticut’s Personal Data Privacy Act (PDPA) and Utah’s Consumer Privacy Act (UCPA) depends in large part on the number of residents of each respective state whose information is processed by a company. In Colorado and Connecticut, companies that do business or offer good or services in Colorado or Connecticut and control the processing of 100,000 or more residents in each state are subject to the new laws. In Utah, a company is subject to the UCPA if the company does business or offers good or services in Utah and has annual global revenue of at least $25 million and controls the processing of at least 100,000 Utah residents. The other way that these new laws could be triggered is if a company receives 50% or more of its annual revenue from the sale of personal information, including through the sale of the data for at least 25,000 residents in each state. Of course, each state law also contains a variety of exemptions for companies subject to federal laws, such as the Gramm–Leach–Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).

Critically, however, the CPA applies to nonprofit organizations, that produce or deliver commercial goods or services in Colorado, which makes it an outlier among the laws coming into effect in 2023. If you are a nonprofit organization (for example, a hospital), Colorado will likely be the first time that you must contend with these new consumer privacy laws.


Targeted Advertising

Connecticut, Colorado and Utah will give consumers the right to opt out of targeted advertising, which is generally defined as displaying a digital advertisement that is based on personal information obtained or inferred over time across nonaffiliated websites or applications. Both Connecticut and Colorado require that companies provide methods outside of a company’s privacy policy for consumers to opt out of targeted advertising. In Connecticut, that means providing a static link on a home page. In Colorado, the opt-out must be “clear and conspicuous, and readily accessible.” These requirements are likely to require even businesses that already have an opt-out link on their website to comply with the CCPA.

While many businesses engaging in targeted advertising already have an opt-out link on their home page to comply with the CCPA, the Colorado and Connecticut laws will likely require updates to these links given the proscriptive nature of the CCPA’s “Do Not Sell or Share” language, which may not “conspicuously” communicate the opt-out of targeted advertising required by Connecticut and Colorado.

Action item: If engaging in targeted advertising for consumers in Colorado and Connecticut, place an opt-out link on your website or update your existing opt-out link.

Sensitive Personal Information

Each of the new state laws that take effect in 2023 have rules regarding “sensitive” data. Most of the new state laws treat ethnicity, religious beliefs, mental and physical health diagnoses, sexual orientation, citizenship, specific geolocation, biometric and genetic information, and the information of a known child as sensitive. Like Virginia, Colorado and Connecticut require consumer consent before a business can collect this type of information. In contrast, Utah requires that companies offer consumers the opportunity to opt out of a company collecting this type of information.

Notably, the draft Colorado regulations (which are not yet finalized) also require businesses to add disclosures in their privacy policies related to sensitive data inferences (e.g., inferring religious beliefs or medical conditions from a dietary preference).

Action item: Ensure that you have a consent or opt-out mechanism in place if you are collecting sensitive personal information and sensitive personal information inferences.

Data Protection Assessments

Colorado and Connecticut’s new laws require companies to prepare data protection assessments in the event that they are (1) engaged in targeted advertising; (2) selling personal data; (3) profiling where the profiling could have a legally significant impact on the consumer (e.g., credit decisions); or (4) processing sensitive data. These assessments are critical compliance pieces that companies may need to provide to regulators upon request. Companies that have already performed these assessments to comply with other laws will still need to refresh them to account for data processing activities related to Colorado and Connecticut residents. Companies will also need to keep an eye out for California’s next wave of CCPA rulemaking which will make effective the CCPA’s requirements to conduct data protection assessments.

Action item: Update or prepare data protection assessments for regulated data processes.

Consumer Appeal Rights

Companies that have implemented compliance programs for the Virginia law may already have a system in place for addressing consumer appeal rights, but if not, the new laws in Colorado and Connecticut will require them. Colorado and Connecticut require a company to implement an internal appeal process by which a consumer can challenge a company’s prior decision not to honor a consumer rights request. In addition to designing this internal process, companies must inform consumers in privacy policies and responses to rights requests about their right to appeal and the process for doing so.

Action item: Implement or expand the scope of your internal data subject request appeal process and update privacy policies and template rights request response materials to include information about the right.

No Employee or B2B Data

The good news for many companies is that each of the Colorado, Connecticut and Utah laws expressly exempt from coverage employee data and business contact information. California remains the only state where that information is in scope.

Action item: Nothing!


We have highlighted some of the key obligations that companies will face to prepare for the effective dates of the new laws in Colorado, Connecticut and Utah. However, what each company must do to comply with the new laws likely will vary based on each company’s current compliance posture. And, of course, the work starts with a thorough examination of whether a company is subject to these new consumer privacy laws in the first instance.

© 2023 McDermott Will & EmeryNational Law Review, Volume XIII, Number 34

About this Author

Elliot Golding Business Privacy and Cybersecurity Attorney

Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine...

Kathryn Linsky Cybersecurity and Data Protection Attorney

Kathryn Linsky, CIPP/US, is an experienced privacy, data protection and cybersecurity lawyer counseling on data protection practices throughout the information lifecycle, including compliance with national and international regulations and data processing in emerging technologies.

Kathryn works directly with legal and business stakeholders to advise clients on product and feature development, with a focus on privacy by design. Kathryn is solutions-oriented and skilled in providing practical, business-facing advice, taking into account the...

Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...