In Colorado, just when it appeared that efforts to pass data privacy legislation would go on hiatus, a successful last-minute push enabled it to become the second state this year, and third overall, to enact comprehensive privacy legislation.

The Colorado Privacy Act (CPA) adds to myriad sector-specific regulations and anticipates additional regulations aimed at cybersecurity. While it is similar to Virginia and California’s data privacy statutes, there are some distinct differences, and since other states will likely follow suit, organizations may need to consider a patchwork approach.

Broader Opt-Out and Enforcement Powers

The consumer opt-out right under the CPA is different from California and Virginia. By 2024, companies must allow consumers to opt out through a global privacy control browser, rather than on a website-by-website basis. While the details of this global browser setting have not been determined and will be specified by the Colorado Attorney General (AG) by July 2023, companies must allow consumers across all websites to opt out of data processing that involves the sale of personal data, targeted advertising or profiling.

Enforcement is also slightly different under the CPA. In addition to the AG, any of the state’s 22 district attorneys can bring an enforcement action, a first in privacy legislation in the U.S. If enforcement ensues, the CPA includes a 60-day cure period for companies to bring their practices in line with the CPA’s requirements.

Restricted Use of ‘Dark Patterns’ and Data

The CPA is also the first statute to explicitly prohibit obtaining consumer consent through the use of dark patterns. Dark patterns – which manipulate users of websites and apps into doing things they did not intend – often implicate data collection and consumer consent, and thus have become a recent focus of regulators.

The Federal Trade Commission (FTC) and California AG have both taken action to address dark patterns this year, the FTC through a workshop hosted in April and California through modification of the CCPA’s regulations. Colorado’s inclusion of this provision in its legislation could signal the start of a trend.

Controllers under the CPA are also subject to a few unique requirements, including the requirement to minimize the use of personal data by limiting the collection of personal data to what is adequate, necessary and relevant to the specified purpose.

Similarities between CPA and Existing Regulations

Organizations attempting to comply with the CPA can take comfort in knowing a lot of it is borrowed from existing regulations. For example, the rights to access, review and correct data are similar to the California Consumer Privacy Act (CCPA), Consumer Data Protection Act (CDPA) in Virginia, Global Data Protection Regulation (GDPR) in Europe, and various sector-specific laws. Like the CCPA, CDPA and GDPR, companies are also required to enter into written agreements with third parties, vendors and service providers that process data on their behalf.

The CPA’s consumer notice requirements are also similar to other legislative frameworks. Under the CPA, companies must maintain a privacy notice that describes the categories of data collected, the purposes for which data is processed, how and where consumers may exercise their rights, and the categories of third parties with whom data is shared, among other things.

The CPA’s applicability and scope are also limited in ways similar to the CDPA. For example, under both the CPA and CDPA, the definition of a “consumer” does not encompass individuals acting in a commercial or employment context, job applicants, or beneficiaries of individuals acting in an employment context.

Summary of Current State Legislation

The table below contains an overview of some of the key differences between the legislation in Colorado, Virginia and California:

 

Colorado (CPA) Virginia (CPDA) California (CPRA) California (CCPA)
Effective Date July 2023 January 2023 January 2023 January 2020 (will be replaced by CPRA in 2023)
Companies Subject to the Law

Companies that meet either of the following:

- collect and store the personal data of more than 100,000 consumers; or

- derive revenue from the sale of personal data of at least 25,000 consumers

Nonprofit entities that meet the above thresholds are subject to the requirements.

Companies that meet either of the following:

- control or process the data of at least 100,000 consumers; or

- companies that control or process the data of at least 25,000 consumers and derive 50% of its revenue from the sale of personal data

Nonprofit entities are exempt.

Companies that meet any of the following:

- gross annual revenue of more than $25 million;

- annually buy, sell or share for cross-context behavioral advertising the personal information of 100,000 or more consumers or households; or

- derive more than 50% of revenue from selling or sharing for cross-context behavioral advertising personal information

Nonprofit entities are exempt.

Companies that meet any of the following:

- gross annual revenue of more than $25 million;

- buy, receive or sell the personal data of more than 50,000 California residents; or

- derive more than 50% of their revenue from selling personal data

Nonprofit entities are exempt.

Special Requirements for Sensitive Data?

Yes

Yes

Yes

No

Consumer Opt-Out Rights?

Yes – compliance with a universal opt-out through a global privacy control browser setting required by July 2024

Yes – on a website-by-website basis Yes – on a website-by-website basis Yes – on a website-by-website basis
Purpose/Processing Limitations Yes Yes Yes Yes
Requires a Risk Assessment or Data Protection Assessment? Yes – for certain processing activities Yes – for certain processing activities Yes – for certain processing activities No
Special Requirements for Youth Data? No Yes – opt-in required if under 13 Yes – opt-in required if under 16 Yes – opt-in required if under 16