What To Know About the Colorado Privacy Act (CPA)
In many ways, the Colorado Privacy Act of 2021 (“CPA”), also known as SB 21-190, is similar, but not identical, to its predecessors: the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Enforcement Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”).[1] The CPA focuses on data processing that presents a heightened risk of harm to the Colorado residents and consumers.[2] The CPA will grant Colorado residents the right to access, correct, and delete their personal data as well as opt-out of targeted advertising and the sale of their personal data.
What is personal data?
Personal data, or more commonly known as personal identifiable information (“PII”), is defined by the General Data Privacy Regulation as “information that is or about or related to an identifiable individual.[3] Simply put, any data that can be used to clearly identify an individual is personal data. The CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.”[4] According to Pew Research Center, 79% of Americans report being “concerned about the way their data is being used by companies while 81% feel they have “very little [to] no control over the data companies collects.”[5] Personal data is a source for millions of startups and big corporations that turns it into customer insight, market predictions, and personalized digital services.
What is the CPA’s Purpose and how does it protect me?
On July 7th, 2021, Governor Jared Polis signed the CPA after passing both the Colorado’s State Senate and House.[6] As ongoing advances in technology have produced exponential growth in the volume of personal data being generated, collected, stored, and analyzed, these advances have presented both promises as well as potential risk. The CPA will apply to legal entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either: “(1) control or process the personal data of 100,000 or more consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.”
The purpose of the CPA is to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate.”[7] The CPA requires corporations to a provide, but not limited to, reasonably clear, accessible privacy notice; specify the express purpose for which personal data will be collected and processed; and not to process personal data for other purposes unless receiving consumer consent. The CPA will go into effect on July 1, 2023, giving privacy rights to all Colorado residents over their personal data.
[1] Three’s Company: Colorado Becomes Third U.S. State to Enact Comprehensive Privacy Law, Maynard Cooper & Gale LLP (Jul. 14, 2021), https://www.maynardcooper.com/threes-company-colorado-becomes-third-u-s-state-to-enact-comprehensive-privacy-law.
[2] F. Paul Pittman, Mark Williams, Kyle Levenberg, Shira Shamir, Colorado Privacy Act: US Consumer Data Privacy Framework Continues Expansion, White & Case LLP (Jul. 09, 2021), https://www.whitecase.com.
[3] Richie Koch, What is considered personal data under the EU GDPR?, The General Data Privacy Regulation European Union, https://gdpr.eu/eu-gdpr-personal-data/.
[4] S.B. 21-190 Gen. Assemb. (Colo. 2021)
[5] Brooke Auxier, Monica Anderson, et al., American and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15.
[6] OneTrust, What You Need to Know: Colorado Privacy Act, YouTube (Jul. 9, 2021), https://www.youtube.com/watch?v=4M-lU5gh4OU.
[7] Colorado Enacts Privacy Act, Becoming Third State with Comprehensive Privacy Law, Koley Jessen LLP (Jul. 8, 2021), https://www.koleyjessen.com/newsroom-publications-colorado-enacts-privacy-act.