Colorado Becomes Third State to Pass New General Privacy Law

Colorado may soon enter the national stage for its new privacy legislation. On June 8, 2021, Colorado’s legislature passed the Colorado Privacy Act (SB21-190) (ColoPA). The bill was recently sent to the Colorado governor’s desk, where he will have until July 8 to sign or veto the bill, otherwise it will become law without his signature. If Governor Jared Polis signs the bill or does not act on it (and assuming the act is not put to a referendum), Colorado will become the third U.S. state to enact comprehensive privacy legislation, after California and Virginia.

ColoPA mimics the California Consumer Privacy Act (CCPA), California Consumer Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and the EU General Data Protection Regulation (GDPR) in numerous ways. For example, ColoPA prescribes data rights for consumers and duties for controllers and processors of data. Similar to the VCDPA and the GDPR, it assigns controllers the responsibility of conducting data protection assessments (DPAs) for certain activities. ColoPA tracks more closely to the VCDPA with regard to its robust rights to opt out of the sale of personal data and opt out of the processing of personal data for targeted advertising and certain types of profiling, as well as its requirement to obtain consent before processing sensitive personal data. Unless the bill is vetoed, ColoPA will go into force on July 1, 2023.

Key Takeaways:

  • Operationally, ColoPA contains significant overlap with the VCDPA and CPRA regarding the privacy rights businesses must offer to Colorado residents and the privacy policies and procedures companies and vendors will have to implement to comply with the law.
  • ColoPA uses scoping thresholds functionally identical to the VCDPA, but unlike the CCPA, CPRA, and VCDPA, ColoPA does not contain an exemption for nonprofit organizations. If ColoPA is enacted, a nonprofit meeting one of the ColoPA threshold criteria would be subject to the law.
  • ColoPA creates rights for Colorado residents to opt out of the sale of personal data and opt out of the processing of personal data for targeted advertising and certain types of profiling. The law also creates rights of access, correction, deletion, and data portability, largely mirroring the VCDPA and overlapping substantially with the CPRA.
  • Like the VCDPA, ColoPA requires businesses to obtain consent1 before processing sensitive personal data.2 This contrasts with the CPRA’s more limited opt-out approach for certain uses of sensitive personal data.
  • ColoPA is also the second U.S. state privacy law, after the CPRA, to address the concept of “dark patterns” and expressly state that consent obtained via dark patterns is not valid. This may signal that U.S. legislators and regulators alike are becoming increasingly interested in the potential for interface design to manipulate consumer behavior, given that the FTC hosted a dark patterns workshop earlier this year.
  • ColoPA is the second U.S. state privacy law to require data protection assessments, largely tracking those required by the VCDPA. This may be a sign that the EU-style risk-of-harm-based approach may become more prevalent in future U.S. state privacy laws.
  • If signed into law, the ColoPA will come into effect July 1, 2023, six months after the CPRA and VCDPA come into force. Many companies operating across the U.S. will be subject to all three new state privacy laws (Colorado, Virginia, and California) in early-mid 2023 and should therefore consider taking a proactive approach to begin developing their compliance strategy early.
  • ColoPA does not create a private right of action. Rather, only Colorado’s attorney general and district attorneys will be able to enforce the law. ColoPA also includes a 60-day cure period for violations, but that cure provision is set to automatically sunset on January 1, 2025.
  • A patchwork of U.S. state privacy laws is emerging, making nuanced analysis of applicable laws critical, especially given that each law has unique features.


ColoPA applies to controllers that conduct business or produce commercial products or services that are intentionally targeted at Colorado residents and that satisfy one or both of the following thresholds: 1) control or process3 personal data of 100,000 consumers or more during a calendar year; or 2) derive revenue (or receive a discount on the price of goods and services) from the sale of personal data and process or control the personal data of 25,000 consumers or more. ColoPA defines “consumer” as a Colorado resident acting only in an individual or household context. Mirroring the VCDPA, ColoPA expressly excludes individuals acting in a commercial or employment context from the definition of consumer, meaning the personal data of employees, contractors, or job applicants is exempt from ColoPA. In contrast, the California privacy laws and GDPR may apply to employee, contractor, or job applicant data.

Similar to the VCDPA, ColoPA extends broad, status-based exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), and state institutions of higher education. ColoPA also contains certain data-based exemptions, particularly around protected health information under HIPAA and health records under related laws, and personal data regulated by the Fair Credit Report Act (FCRA), the federal Driver’s Privacy Protection Act (DPPA), the Children’s Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act (FERPA). Finally, ColoPA carves out industry-based exemptions for personal data processed by air carriers, national securities associations, and public utility companies.

Consumer Rights

Similar to the California privacy laws, VCDPA, and GDPR, ColoPA grants consumers rights regarding their personal data, which the ColoPA defines as “information that is linked or reasonably linkable to an identified or identifiable individual” and excludes de-identified or publicly available information. Specifically, ColoPA provides the consumer rights of access, correction, deletion, and data portability. Following the VCDPA’s example, ColoPA also grants consumers the right to opt out of the processing of their personal data for the purpose of targeted advertising, sale, and profiling decisions that have legal or similarly significant effects. ColoPA also prohibits the processing of sensitive data without first obtaining the consumer’s consent. Notably, ColoPA defines “sale” to mean “the exchange of personal data for monetary or other valuable consideration by a controller to a third party,” thus adopting a broader definition of sale similar to California’s privacy laws rather than the VCDPA’s more limited definition that includes only an exchange of personal data for monetary consideration.

Under ColoPA, consumers may exercise their opt-out right via a third party, including via a universal opt-out mechanism that meets the requirements set out by the state attorney general (to be established by July 1, 2023). ColoPA requires this opt-out method to be provided clearly and conspicuously within and outside of the law’s required privacy notice. While compliance with the universal opt-out mechanism will initially be optional, it will be required beginning July 1, 2024.

Consistent with the CCPA, CPRA, and VCDPA, controllers must respond to consumer requests within 45 days and this time period can be extended for an additional 45 days. As with the VCDPA, all consumer requests must be authenticated. ColoPA also specifies grounds on which a controller may deny a consumer’s request, one of note being that the data is pseudonymized (defined to mean the data can no longer be attributed to a specific individual without the use of additional information) and the controller keeps the information necessary to re-identify the data separately, subject to effective technical and organizational measures to prevent access. Similar to the VCDPA, ColoPA requires the establishment of an appeals process allowing a consumer to appeal any denials of requests.

This article originally appeared in JD Supra

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Article

NICE Unveils its Robo-Ethical Framework

Next Article Introduces Voice AI Bots to its CX Platform

Related Posts

Subscribe to TheCustomer Report

Customer Enlightenment Delivered Daily.

    Get the latest insights, tips, and technologies to help you build and protect your customer estate.