Colorado has enacted the nation’s third comprehensive consumer privacy law, after Governor Jared Polis signed Senate Bill 21-190. The Colorado Senate voted 34-1 to send the privacy legislation to the governor’s desk, after the House approved the measure 57-7.
Colorado is the second state this year to pass a law making it easier for consumers to protect personal data online. Colorado’s Privacy Act follows Virginia’s Consumer Data Protection Act (VCDPA) and California’s Consumer Privacy Act (CCPA).
What rights does the Privacy Act create?
Colorado’s Privacy Act provides rights similar to those provided by Virginia’s and California’s laws. Among other things, it gives consumers the right to opt-out of data processing for the use of targeted advertising and the sale of personal data. It also gives consumers the right to access, correct, and delete personal data companies have collected. It also gives consumers the right to obtain a copy of their personal data in a portable format. Notably, Colorado’s Act requires that consumers be able to opt -out through a universal opt-out mechanism that meets technical specifications to be established by the Colorado Attorney General. This differs from California’s law, which does not require a global privacy mechanism. The Privacy Act also includes a prohibition on the use of “dark patterns,” defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice,” following a similar prohibition in the latest regulations issued under CCPA.
A “consumer” is defined as a Colorado resident who is “acting only in an individual or household context.” It does not include individuals acting in a “commercial or employment context,” which is similar to Virginia’s law. “Personal data” is broadly defined as information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. “Sensitive data” is defined as (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, (b) genetic or biometric data that may be processed to uniquely identify an individual, or (c) personal data from a known child. The Act affords extra protections for the processing of sensitive data.
Who must comply with the Privacy Act?
Colorado’s new privacy law applies to any legal entity that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and that satisfies one or both of the following thresholds:
- controls or processes personal data of 100,000 or more consumers per year, or
- derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 consumers or more.
The Privacy Act is limited in scope to Colorado individuals acting in an individual or household context and excludes where the individual acts in a commercial or employment context, including “as a job applicant, or as a beneficiary of someone acting in an employment context.” As in Virginia, this scope limitation does not sunset.
The Colorado Privacy Act includes terminology and obligations modeled after the EU’s General Data Protection Regulation (GDPR). For example, Colorado’s law distinguishes between controllers and processors, and a business’s obligation depends upon this distinction. Controllers “determine the purposes for and means of processing personal data”. Those that process personal data on behalf of a controller are “processors.”
Like the Virginia and California laws, Colorado’s Privacy Act does not apply to certain exempt entities or data. For example, it does not apply to certain entities, like financial institutions regulated under the federal Gramm-Leach-Bliley Act (GLBA), or data processed by certain regulated entities such as national securities associations and air carriers. It also doesn’t apply to employment records and certain data held by state government, public utilities, and public universities. Additionally, like the Virginia and California laws, Colorado’s law doesn’t apply to data that is governed and processed in accordance with certain state and federal laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) the Children’s Online Privacy Protection Act of 1998 (COPPA), and the Fair Credit and Reporting Act (FCRA). However, unlike Virginia and California, Colorado’s law will apply to non-profit organizations that meet the thresholds.
Unlike the Virginia and California laws, Colorado’s law is enforceable by the Colorado Attorney General as well as state district attorneys. The Act does not provide a private right of action that would allow consumers to sue for alleged violations.
Before beginning any enforcement action, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. The controller has 60 days after receipt of the notice of violation to cure the violation. Non-compliance with the Act is considered a deceptive trade practice. Violators face civil penalties of up to $2,000 for each violation with a maximum penalty of $500,000 for related violations.
When does the Colorado Privacy Act go into Effect?
The Colorado Privacy Act takes effect on July 1, 2023. However, the governor issued a signing statement voicing concerns that “several issues remain outstanding” and that the Act needs “clean-up” legislation to “strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s positions as a top state to do business.”
The Future of Privacy Laws in the U.S.
While Colorado is the third state to pass a privacy law, it may not be the last. Bills have been proposed in a number of states this year, including Florida, Oklahoma, and Washington. While those bills failed this year, it remains to be seen if they will fare better in the future. Additionally, on July 12, 2021, House Bill 376, the “Ohio Personal Privacy Act,” was introduced in the Ohio House of Representatives. House Bill 376 would provide Ohio consumers with certain rights related to their data as well as would provide an affirmative defense for businesses if they craft a written privacy program that “reasonably conforms” to certain NIST framework and standards.
Thompson Coburn’s attorneys are closely monitoring the developments. For questions, please contact the Thompson Coburn lawyer with whom you usually work, the authors, or any member of the firm’s Cybersecurity, Privacy and Data Governance practice group.
Libby Casale is an associate in Thompson Coburn’s Business Litigation practice group.