The Colorado Privacy Act, New Data Privacy Requirements

The Colorado Privacy Act, New Data Privacy Requirements

The Colorado Privacy Act is a newly passed comprehensive data privacy law geared towards protecting the privacy and personal information of Colorado residents when using the internet. The act both identifies and imposes a variety of obligations on “controllers” and “processors” of personal information that is collected online from Colorado consumers. Under the Act, a controller is defined as a person that “determines the purposes for and means of processing personal data”. Alternatively, a “processor” is defined as a person who processes the personal data of consumers on behalf of the controller. The requirements and obligations of controllers under the Act are as follows:

Who is protected under the Colorado Privacy Act?

The Colorado Privacy Act protects Colorado residents and grants them certain rights in relation to the protection of their personal information and data. More specifically, the CPA affords Colorado consumers the following rights:

Much like the California Privacy Act and the Virginia Privacy Law, the CPA requires data controllers to respond to the authenticated requests of consumers within 45 days. What’s more, the CPA also requires controllers to establish a process by which consumers can appeal the denial of their authentication request.

Who does the Colorado Privacy Act Apply to?

The Colorado Privacy Act applies to all Colorado residents, defined as consumers under the CPA, and imposes data protection requirements on businesses who meet one of the following thresholds:

How do businesses comply with the Colorado Privacy Act?

Much like the recently passed Virginia and California data privacy laws, the CPA permits businesses and companies to develop their own general uniform approach concerning data privacy compliance obligations. Despite this, the CPA suggests the following framework for assessing such compliance obligations and requirements under the act:

What are the fines and penalties for non-compliance under the CPA?

The CPA will be enforced by both the Colorado Attorneys General and state district attorneys. Any violation of the CPA constitutes a deceptive trade practice under the Colorado Consumer Protection Act. Violations of the CPA and in turn CCPA are punishable by fines of up to $2000 for each violation, with a maximum penalty of $500,000 for related violations. Under the CPA, Colorado consumers have no private right of action, and the Colorado Attorney General is authorized to “adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation” of the CPA.

The goal of the CPA is to provide Colorado consumers and residents with a further level of protection when sharing their personal information on the internet. As online activity is at an all-time high due to the expansion of internet service in the last 25 years, such pieces of legislation are very much needed. In keeping with legislation passed by both Virginia and California, Colorado is the most recent state to pass a comprehensive data protection law. While there are only a handful of states who have passed such legislation as of this writing, more states are sure to look into passing their own forms of online data privacy laws in the near future.

Related Reads