California Privacy Rights Act
Subscribe to California Privacy Rights Act's Posts

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.

Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

  • The organization processes data on 100,000 or more Colorado consumers annually.
  • The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

  • Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
  • Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
  • Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
  • Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]

    Continue Reading



The Uncertain “State” of US Data Protection Law: California Leads the Way

The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.

Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.

It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




STAY CONNECTED

TOPICS

ARCHIVES