Privacy frameworks are continuing to shift in Colorado and across the nation, requiring businesses to adapt to increasing oversight from regulatory bodies. In-house protocols for both managing privacy protection and monitoring compliance are important tools in any company’s repertoire. A robust data privacy program may also benefit from the advice of seasoned data privacy attorneys whose practice areas encompass broad-based consumer protection regulatory compliance.
The Colorado Privacy Act (CPA) was enacted in July 2021, making Colorado the third state – following California and Virginia– to enact a comprehensive consumer data privacy law. The Virginia/Colorado privacy model includes nuanced privacy obligations that differ in some important ways from the California privacy model. Similar to California’s privacy law, the CPA includes corresponding regulations.
The CPA applies to companies that engage in business with Colorado residents and that (1) control or process the personal data of at least 100,000 Colorado consumers during a calendar year or (2) control or process personal data of at least 25,000 Colorado consumers and derive revenue or receive a discount on the price of goods or services from selling personal data. Meeting either regulatory threshold will impose an obligation on the company to ensure its compliance with CPA requirements.
How Can We Help? Let's Talk
The CPA grants Colorado consumers a range of privacy rights, including right of access, right of correction, right to delete, right to data portability, and right to opt out. To ensure the protection of consumer data privacy, new obligations have been imposed on all companies that fall under the purview of the law. For instance, businesses must now consider the following legal duties:
Violations of the Colorado Privacy Act are considered deceptive trade practices, meaning the penalties are governed by the Colorado Consumer Protection Act. As such, companies that are found to be noncompliant can face fines of up to $20,000 per violation, with enforcement managed by the office of the Colorado Attorney General. The CPA does not establish a private right of action for consumers.
Businesses have a legal obligation to remain compliant with a host of regulatory requirements imposed by federal and state consumer protection and privacy laws. The interplay of these laws can be complex, demanding the implementation of compliance procedures that recognize an array of overlapping, and even potentially conflicting, rules.<
The CPA in particular may require few to no changes for a business operating well beneath the regulatory threshold, while a company managing data collected from large numbers of Colorado residents annually may already have faced a comprehensive overhaul of its consumer data handling procedures.
For companies approaching the CPA applicability threshold, it may be advisable to begin developing appropriate protocols for collecting data, for disclosing foreseeable uses of data to consumers, and for securely storing the collected data –– before being required to do so by law.
The considerations necessary for compliance under the CPA also vary somewhat depending on whether a business is defined as a data controller vs. processor, while some businesses may function in both roles. Understanding how the CPA defines these terms and what they mean for a company’s obligations is essential to achieving and maintaining compliance with this law.
Whether defined under the CPA as data controllers or processors, we have guided many businesses throughout their compliance journey, helping them:
