The final countdown has begun to July 1, when Colorado’s Data Privacy Act (the “CPA”) takes effect.
The CPA joins a fast-growing number of state comprehensive privacy statutes. We have previously written on the laws from California, Virginia, and Utah. The CPA closely resembles those laws in, for example, granting state residents the right to access, correct, delete, and opt out of the sale of their personal data. But the CPA is different in critical ways.
- First, the CPA applies to not only businesses, but also to nonprofits that control or process the personal data of a threshold number of Colorado residents each year; the threshold is 25,000 Colorado residents if the organization derives revenue from selling personal data, and 100,000 if it does not. The CPA’s nonprofit coverage is a first for U.S. state privacy laws, but could be a harbinger of what is on the horizon.
- Second, along with only California’s CCPA, organizations covered by the CPA must recognize “universal opt-out mechanisms” as a way for consumers to opt out of the sale of their data. Universal opt-out mechanisms are signals sent, for example, through specialized internet browser settings that enable individuals to declare that they do not want their data processed.
- Third, the CPA’s prohibition on discrimination, which partly mirrors Virginia’s, arguably goes much further than California’s CCPA. The only discrimination recognized by the CCPA is discrimination against consumers who exercise their rights under that law. But Colorado’s CPA imposes obligations to comply with federal and Colorado antidiscrimination laws when processing data. Federal and state antidiscrimination laws proscribe discrimination on a wide range of grounds, like race or sex. The Colorado Attorney General has promulgated rules under the CPA, but those rules do not clarify which antidiscrimination laws are incorporated, what constitutes a violation, and how violations will be enforced. In theory, the Attorney General, who has enforcement authority under the CPA, could impose civil penalties for violations of various federal or Colorado antidiscrimination statutes if those violations involve processing the data of a Colorado resident. Colorado residents, however, do not have a private right of action under the CPA.
Compliance with the CPA for both businesses and nonprofits will demand a careful review of an organization’s data systems and policies from both a technical and legal perspective. The Attorney General’s rules under the CPA are detailed, addressing such areas as what a privacy notice must contain, how to conduct a data privacy assessment before processing data, and requirements for automated decision-making. Organizations will also need to carefully grapple with issues arising from the interplay between the CPA and other state privacy regimes.
And Colorado is not the end of the road, with other states’ comprehensive laws on their way. Connecticut’s law also takes effect on July 1, 2023. Indiana, Iowa, Montana, Tennessee and, most recently, Florida and Texas have also passed privacy legislation, which appear on track to come into effect between 2024 and 2026. Texas’ legislation in particular is one to watch: while exempting nonprofits and small businesses, it contains no minimum threshold of Texas residents to trigger coverage, potentially injecting the Lone Star State’s law into the mix for businesses with only minimal connections to Texas. A variety of similar privacy laws have also been moving through the legislatures of states including Delaware, Hawaii, Illinois, Kentucky, Louisiana, Maine, Minnesota, New Hampshire, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Vermont, and Washington.
The CPA and other laws continue to highlight a long-brewing U.S. trend toward legislating privacy rights as a form of property rights, granting individuals control over their personal information long after they provide it to third-party businesses, and imposing obligations on business (and nonprofits) aimed at preserving those rights for the individual’s benefit. Whether the growing patchwork of state privacy laws will ever be unified (or redefined) by a federal privacy framework remains to be seen, but for the time being, organizations collecting personal data need to maintain constant vigilance to ensure ongoing compliance with the ever-growing number of relevant laws.