The Government of Colorado has passed the Colorado Privacy Act (“CPA”) on July 7th, 2021. The State of Colorado has joined California and Virginia as the third state with comprehensive privacy law in the United States.
The key highlights of the Colorado Privacy Act are:
- CPA regulates Colorado residents in their individual or household capacity. It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).
- It regulates “controllers” that conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents (“consumers”) and meet one of two thresholds: (1) controls or processes personal data of at least 100,000 consumers or (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers.
- It does not apply to state agencies or political subdivisions of Colorado, entities or data subject to GLBA, higher education institutions and data collected by covered entities or business associates governed by HIPAA.
- The CPA requires controllers to include a list of provisions in their contracts with processors, including, but not limited to, requiring the processor to allow for audit and inspections and that its’ employees involved in the processing of data are subject to a duty of confidentiality.
- CPA does not include a private right of action. CPA may be enforced by the Colorado Attorney General’s Office and District Attorneys. The AG and DAs will have the authority to ask a court to enjoin businesses whose actions in violation of the CPA. For the first two years of the law, entities will have a 60-day notice and cure period to remedy any violations of the law before the AG or DAs can initiate an enforcement action. This cure period will be automatically repealed on January 1, 2025.
*Tanvi Singh, Editorial Assistant has put this story together.