By Tim Rollins
The CPA (Colorado Privacy Act) will go into effect on July 1, 2023—six months after the Virginia Consumer Data Protection Act (CDPA) and California Privacy Rights Act (CPRA), which have effective dates of January 1, 2023.
On June 8, 2021, the Colorado legislature officially passed the Colorado Privacy Act, establishing consumer rights for residents of Colorado.
The law applies to organizations that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
- Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.
The CPA establishes consumer rights similar to Virginia’s:
- Right to opt out: Consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or automated profiling in furtherance of decisions that produce legal or similarly significant effects.
- Right of access: Consumers have the right to confirm whether a data controller is processing personal data concerning the consumer and to access that personal data.
- Right to correction: Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for which it is processed.
- Right to deletion: Consumers have the right to delete personal data concerning the consumer.
- Right to data portability: When exercising their right to access, consumers have the right to obtain their personal data in a portable and readily usable format that allows the consumer to easily transmit the data to another entity.
Expert Analysis by Matt Dumiak, Director of Privacy Services at CompliancePoint
In what turned out to be an extremely busy year at the state level for data privacy, the CPA adds to the existing patchwork of data privacy regulations in the US. The CPA will require businesses to update policies and contracts, analyze existing controls, and create and build new procedures to comply. While the consumer rights will look familiar, companies should be aware of the right to opt-out of targeted advertising and specific types of profiling which will have an impact to cross-functional teams and departments within the business. Further, businesses need to have an internal appeals process should they refuse to honor a right. This process must be easy to use and conspicuously available to the consumer. At the mid-point of 2021, it is a good time to start planning and preparing a plan of action to comply with the CPA which goes into effect on July 1, 2023.
Data Privacy Tip
To stay up-to-date on state privacy laws, make sure to bookmark Exterro's Interactive Map of US Data Privacy Laws.