Colorado Passes State Privacy Act, Poised to Become Law
Once it's signed into law, the bill will become the third comprehensive state privacy law in the U.S. after California and Virginia.
Colorado appears poised to introduce the nation’s latest cross-industry privacy rights law, joining states like California, with its California Consumer Privacy Act, and Virginia with its Consumer Data Protection Act (CDPA) as far as states with comprehensive data privacy laws on the books.
While it hasn't been made official – the state’s governor, Jared Polis, still needs to sign off on the legislation - it was passed by the Colorado General Assembly, with the Senate voting unanimously to adopt the House's amendments to the bill, last week.
All signs point to the regulation getting passed and signed into law within the next 30 days. Following that, it would go into effect in July 2023, giving data protection officers and those in charge of keeping up to date with the country's rapidly changing data privacy rules ample time to ensure they're in compliance with the new legislation.
Introduced in March, the Colorado Privacy Act (Senate Bill 190) would give consumers the right to opt out of having their personal data processed, give data controllers a right to cure any violation, and gives the state's attorney general the ability to enforce and make rules around the bill.
In addition to having the right to opt out of the processing of personal data, consumers will able be able to authorize someone else to opt out for them, request businesses to delete data. They'll also have to opt in, giving their consent before data controllers collect their data.
The legislation, similar to Virginia's - which doesn't have a revenue threshold, would be applicable to companies who collect personal data belonging to a certain threshold. For the CPA, that’s either 100,000 Coloradans or 25,000 Coloradans if the organization derives revenue from the sale of their personal data. The CCPA, in comparison, has a revenue threshold; it applies to organizations who make over $25 million annually.
Like many data privacy laws of late, Colorado's doesn't include a private right of action, something that would allow individuals to sue companies if their personally identifiable information winds up getting lost or stolen as part of a hack or breach. While viewed as a necessity by privacy advocates, private rights of action have been notably absent from many privacy bills of late. Organizations, understandbly, could meet more legal actions, like class action lawsuits, following breaches.
The CPA would also require organizations conduct a data protection assessment for each of their processing activities involving person data. This would largely apply to any instance in which personal data is processed for targeted advertising and profiling. This sounds similar to a Data Protection Impact Assessment (DPIA) - something that's required for many European enterprises that have to comply with the General Data Protection Regulation. In Colorado, it's likely these assessments will borrow heavily from Virginia's CDPA, which requires organizations carry out an assessment whenever they do the following:
- Processing of personal data for purposes of targeted advertising,
- Sale of personal data,
- Processing of personal data for purposes of profiling,
- Processing of sensitive data, and
- For any other processing activities involving personal data that present a heightened risk of harm to consumers.
Like other consumer data privacy laws of late, the eventual passage of the Colorado Privacy Act should continue the concept of heightened privacy awareness at companies when it comes to how user data is handled. With increased scrutiny and liability, organizations will need to know where sensitive data resides at all times.
While Colorado will be just the third state in the country to implement a comprehensive data privacy law, it likely won't be the last this year. As the National Conference of State Legislatures notes, consumer data privacy bills were considered in at least 30 states and Puerto Rico in 2020. So far this year - at least as of April - at least 20 states have introduced their own data privacy bills in 2021.