Colorado Passes Consumer Data Privacy Law

Colorado Passes Consumer Data Privacy Law

In more good news for data privacy legislation in the US, the Colorado Legislature passed the Colorado Privacy Act (CPA) on June 8, 2021. 

Colorado joins California and Virginia in having comprehensive privacy legislation.

Like the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, the CPA gives consumers some significant rights to control their personal data:

  • Consumers will be able to opt out of the sale of personal data and the processing of their data for targeted advertising and profiling purposes. Consumers will also be able to authorize another person to opt out on their behalf. 
  • Consumers will need to consent (opt in) to companies processing “sensitive” personal data, which may include information about their religious beliefs, sexual orientation, race/ethnicity, citizenship status, and physical or mental health.
  • Consumers will be able to request that companies delete their personal information or correct it for inaccuracies. 

But Colorado goes further than California and Virginia in some areas; for example, by providing for: 

  • Rigorous limitations on secondary uses of data and the requirement for opt-in on those uses. Companies will have to state the purposes for which they’re collecting information and not change purposes later.
  • Banning companies from using dark patterns, which are intentional UX features of websites and apps designed to make it harder for users to do what they want, either through complexity or deception. Dark patterns are like traps to get more of users’ personal information and to tempt users into buying products and services. 
  • A “universal” opt-out mechanism which commentators say is like the new Global Privacy Controlsolution. This means consumers can opt out of data collection for advertising purposes across all services at once rather than opt out separately at each site or company they access. 
  • A 60-day cure period in which companies can fix any mistakes in compliance. This cure period will be phased out in January 2025.

The CPA will apply to any organization doing business in Colorado or targeting Colorado residents with their products and services, which processes or controls the personal data of more than 100,000 consumers a year or derives revenue from selling personal data and processing or controlling the personal data of 25,000 consumers or more.

Fines for non-compliance can be up to $500,000.The CPA will come into effect on July 1, 2023.

Photo By Nick Fox