August 13, 2022

Volume XII, Number 225


August 12, 2022

Subscribe to Latest Legal News and Analysis

August 11, 2022

Subscribe to Latest Legal News and Analysis

August 10, 2022

Subscribe to Latest Legal News and Analysis

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act


On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.


Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

  • The organization processes data on 100,000 or more Colorado consumers annually.

  • The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

  • Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.

  • Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.

  • Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”

  • Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, health conditions, genetic or biometric information, sex life or sexual orientation and citizenship status. Notably, geolocation information is not “sensitive” for these purposes, unlike the CDPA.

In addition, for any of the activities that give rise to opt-out or opt-in rights, companies will be required to conduct and document “data protection assessments.” These assessments align with a similar requirement under the CDPA, and they must be made available to the Colorado Attorney General upon request.

“Secondary Uses” Restricted

One area where the CPA goes beyond the CCPA/CPRA and the CDPA is with the introduction of a new “duty to avoid secondary use.” This duty prohibits covered organizations from using data for purposes that “are not reasonably necessary or compatible with the specified purposes for which the personal data are processed.” Businesses can override this prohibition by obtaining the consumer’s consent for new processing activities.

Colorado’s prohibition on secondary uses—in conjunction with its requirements that businesses expressly identify the purpose of data collection—reflects a longstanding Federal Trade Commission (FTC) position that post-collection data practices must be consistent with pre-collection disclosures. However, due to the emphasis on “specified purposes” and the express “consent” requirement for new uses, the CPA arguably goes beyond FTC guidance by imposing a more explicit prohibition on such uses. Companies will need to scrutinize their privacy notices to ensure that any purposes are adequately specified to avoid running afoul of this new statutory requirement under the CPA.

Controller/Processor Contracting

Like other states and the European Union’s General Data Protection Regulation (GDPR), the CPA distinguishes between data “controllers” and “processors,” requiring mandatory contract terms between these entities. However, the new CPA adds some requirements not otherwise contained in existing US law or the GDPR. In particular, controllers and processors are expressly prohibited from introducing contract terms that “relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship.” This language could potentially undermine any indemnification terms the parties may have negotiated in their existing agreements. Covered organizations should examine their current vendor and customer contract templates to re-evaluate their exposure and to ensure that the contract complies with the CPA’s contracting requirements.

Next Steps for Business

With the array of new privacy laws set to take effect in 2023, in-house counsel and privacy professionals have their work cut out for them in aligning their businesses with the expanding patchwork of state laws. As an initial step, organizations should evaluate whether they meet the applicability requirements for the CPA. As mentioned, many businesses will not trigger the high bar for applicability of these laws. If the CPA is applicable, an important second step will be evaluating exposure to the new “sensitive data” requirements by updating or creating data maps that include the sensitive data categories.

Finally, companies should be careful not to lose sight of the bigger picture. While state legislative momentum may be slowing for the remainder of 2021, activity is expected to pick back up when many state legislatures reconvene in the beginning of 2022. As businesses take steps to understand and comply with the CPA and other laws, they should do so with future developments in mind, focusing on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.

© 2022 McDermott Will & EmeryNational Law Review, Volume XI, Number 190

About this Author

Austin Mooney Cybersecurity Attorney

Austin Mooney focuses his practice on global privacy, cybersecurity, and emerging technologies. A Certified Information Privacy Professional/Europe, he is experienced in helping clients navigate US and international data protection law, including the GDPR. He is well versed in consumer privacy actions, as well as in compliance issues with the Foreign Intelligence Surveillance Act (FISA) and other federal surveillance law. He counsels clients on a wide range of topics, including consumer protection law, cross-border data flows, and data breach response and prevention.


Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

Fran Forte Data Privacy Lawyer McDermott Will & Emery Law Firm

Fran Forte focuses her practice on privacy and data security matters, advising clients on domestic and international privacy and cybersecurity laws and regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Fran counsels clients in many industries, including cybersecurity product providers, retailers, payment processors, and financial institutions. Fran continuously monitors and advises clients on how privacy and data security laws, regulations and consumer expectations may impact their business practices. Fran has...