This summer, Colorado will join the growing list of U.S. states that have comprehensive privacy legislation in effect. Although largely consistent with other existing laws in California and Virginia and pending laws in multiple other states, the Colorado Privacy Act (CPA) has some unique features that set it apart from other state privacy laws. For example, the law applies not only to for-profit companies but also to nonprofit organizations. In addition, the CPA requires affirmative consent to process "sensitive data" such as health or financial data. This is a higher standard than many other state privacy laws, which only require opt-out consent for sensitive data. Starting in July 2024, the law will require recognition of a universal privacy opt-out such as Global Privacy Control. Finally, the CPA explicitly delegated enforcement authority to the state attorney general, which has issued compliance regulations that require data privacy impact assessments and expanded disclosure requirements for consumer loyalty programs.
Why It Matters
The CPA takes effect on July 1, 2023, and will increase the stakes for privacy compliance. Companies that already have a privacy program designed to comply with California laws may still have to review their privacy policy and back-end processes to be sure they have the right measures in place, and some non-profits will have to address privacy concerns for the first time. The law will have a 60-day cure period for the first year, which should help covered companies and non-profits work out any kinks in their operations. After that, violations can carry penalties of up to $20,000 per violation.