Colorado has become the third state in the country to enact a comprehensive privacy law, which follows the model set for by the laws in California and Virginia, while possessing its own quirks and nuances.
The law is scheduled to go into effect on July 1, 2023.
Similar to California and Virginia, the Colorado Privacy Act includes the right for residents of the state to access, correct, and delete the personal data held by organizations that are subject to the law. Residents will also have the right to opt out of receiving personalized offers based on their data and prevent their data from being sold, Unlike California and Virginia, residents do not have a private right of action to sue for alleged violations of the law’s provisions. Instead, it will be up to the Colorado Attorney General or state district attorneys to investigate and pursue violations. Violations of the law may be deemed to be deceptive trade practices under the Colorado Consumer Protection Act, which carries a fine of $20,000 per violations — significantly higher than what California or Virginia can levy.
While he signed the bill into law, Colorado Gov. Jared Polis did note that additional legislation will be required in the future, before the CPA goes into effect, to ensure “Colorado’s competitiveness with other states as an incubator of new technologies and innovations.”
The law applies to companies that control or possess the personal information of more than 100,000 individuals per year or derive revenue from the sale of personal data of at least 25,000 residents. There are no revenue thresholds, like the law in Virginia, for being subject to the CPA.
“Right now, companies are collecting data on consumers that consumers don’t know about. Absent action at the federal level, states like Colorado are advancing effective data privacy policy solutions,” Colorado Attorney General Phil Weiser said in a statement. “The core part of the Colorado data privacy bill that really matters is consumers will have the ability to control and dictate how their data is used. Additionally, SB21-190 gives the attorney general’s office the authority to develop rules to protect consumers while enabling companies to use information to keep consumers safe and to provide valued services.”
A more comprehensive analysis of the law, written by attorneys from Squire Patton Boggs, is available by clicking here.