The State of Colorado is now the third state in the United States to enact a comprehensive privacy law, the Colorado Privacy Act (CPA), following California’s CCPA in 2018, and Virginia’s CDPA in 2021. The CPA, set to take effect in July 2023, generally applies to any business that annually processes the personal data of over 100,000 Colorado residents, or that sells the personal information of more than 25,000 Colorado residents a year.
The CPA grants Colorado data subjects the right to access, correct, or delete data, as well as the right to data portability. In addition, data subjects may opt out of the sale of their data, the use of their data for targeted ads, or the use of automated decision mechanisms on their data. The CPA also requires businesses to honor a global opt-out mechanism, to be specified by the Colorado Attorney General.
The CPA imposes various additional obligations on business, such as data minimization and the posting of a privacy notice specifying the data collected, its processing purposes, and the nature of the data recipients. The CPA will be enforced by the Attorney General.
Colorado Governor Jared Polis signed the CPA into law and indicated that some amendments to the CPA are necessary due to the speedy legislative process, to strike a better balance between consumers’ right to privacy and the state’s interest in attracting technology businesses.
Click HERE to read Colorado Privacy Act, as enacted.