All You Need to Know About the New Colorado Privacy Act

The state of Colorado passed the Colorado Privacy Act (CPA) on June 8, 2021, getting a step closer to becoming the third US state (after California and Virginia) to have its own privacy law. After being signed by the Governor, the law will go into effect in 2023.

Companies already complying with CCPA, GDPR, etc., will be better positioned to adapt to the Colorado Privacy Act. Despite its similarities with existing laws, the CPA also contains notable differences, including its definition of "sensitive data" and the scope of its exemptions. A well-thought-out plan will help organizations satisfy CPA’s unique provisions without disrupting existing business operations.

The act will provide greater control to Colorado citizens over their personal data while bringing accountability to data controllers and processors. The CPA has also drawn criticism from privacy advocates due to the lack of a private right of action, which allows consumers to seek legal action under certain circumstances.

How can you be prepared for CPA?

First of all, you need to understand who falls under the purview of the Colorado Privacy Act. The bill applies to controllers doing business or providing products or services targeted towards Colorado residents and that either:

  1. collects