New Colorado Privacy Act Has Been Passed

The governor of Colorado, Jared Polis has recently signed the Colorado Privacy Act (the CPA) into law. This means Colorado has joined the admittedly short list of states- as in it is the third to join- to put in place detailed and far-reaching laws regarding data security. Before Colorado, Virginia enacted its own data security law in 2021, and California in 2018.

The CPA shares many similarities to Virginia’s Consumer Data Protection Act (the VCDPA). Like its Virginia counterpart, the CPA incorporates elements of the General Data Protection Act that was passed by the European Union. Both the Colorado and Virginia acts also drew from the Consumer Privacy Act California enacted.

ADVERTISEMENT

The CPA’s authority encompasses any business operating in Colorado or targeting residents of that state, that is either collecting or processing significant amounts of consumers’ data. However, this does not include businesses such as financial institutions which themselves fall under the Gramm-Leach-Bliley Act.

Colorado Privacy Act Has Been Passed

Entities or organizations that fall under the Health Insurance Portability and Accountability Act are also excluded from the CPA. In contrast to the California Privacy Act employee data and business-to-business data collections are also excluded from the new Colorado law.

ADVERTISEMENT

As is the case in Virginia, residents of Colorado can expect to enjoy new rights under the CPA. These rights include the ability to access, obtain, correct, and even delete personal data that exists as copies within the possession of businesses that fall under the CPA. Colorado residents will also be able to choose to not allow targeted advertising to use their personal data.

One of the more recognizable elements inspired by the GDPA is the array of new security and privacy responsibilities that controller companies (who collect data) and processor companies (who process data) have to uphold. Also similar to the VCDPA the CPA requires controllers to:

  • Protect Colorado residents’ personal data with “reasonable” security.
  • Set up the means and apparatuses by which consumers will be able to use their CPA-granted rights.
  • Inform consumers if their personal data has been sold.
  • Get consent before processing data of a sensitive nature.
  • Give privacy notices that are well-detailed.
  • Engage data processors in agreements that include terms protecting consumers’ data as it is being processed.
  • Perform and record data assessment assessments upon specific data processing activities. This includes any use or sale of someone’s personal data.

Processor companies for their own part have to both abide by the above agreements they make with controllers as well help those same controllers in fulfilling their own responsibilities as listed above.

ADVERTISEMENT

The Colorado Privacy Act will go into action on July 1, 2023.

No posts to display