States continue to move forward in promulgating consumer data privacy laws and accompanying regulations. Currently there are five states with comprehensive laws on their books, and Iowa is now poised to become the sixth. Both chambers of the Iowa State Legislature unanimously voted to approve Senate File 262. Businesses have wisely anticipated the various new regulations and are (or should be) making changes to their consumer data protection practices to comply with these laws. It is important to understand that each jurisdiction’s provisions are nuanced and do not necessarily impose the same or similar restrictions as those of other states. For example, in 2021, Governor Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy, establishing the Colorado Privacy Act (“CPA”). The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules (“Rules”). These Rules have now been approved and will go into effect on July 1, 2023. Entities will be required to comply with the Rules as of the first of July.
Colorado Privacy Act Explained
Like other states, Colorado has enacted a comprehensive regulatory data privacy measure. The simplified purpose of the law is to protect the personal data privacy of Colorado State residents when they act in an individual or household context, but not in a commercial or employment context. The associated new rules operate to further this aim. The CPA enables consumers to better understand what personal data businesses collect, share, and sell, and how that data is used. Under the statute, Colorado consumers will have the following personal data privacy rights:
- The right to opt-out from the sale of their personal data, or use of this data for targeted advertising and certain types of profiling;
- The right to know whether a business is collecting personal data;
- The right to access personal data that a business has collected about them;
- The right to correct personal data;
- The right to delete personal data; and
- The right to download and remove personal data from a platform in a format that allows the transfer to another platform.
How Do the New Rules Impact Colorado Privacy Act Compliance?
Colorado Privacy Act: Who, How, and When?
The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:
- Process the personal data of more than 100,000 Colorado State residents in any calendar year; or
- Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more Colorado State residents.
The Colorado Attorney General’s Office and the State’s district attorneys have exclusive enforcement power granted by the CPA. The Attorney General’s Office also has rulemaking authority under the law. Please note that there is no private right of action under the CPA. As mentioned above, the CPA goes into effect on July 1, 2023.
How to Make Sense of Colorado’s New Privacy Law
We cannot stress enough the importance of sorting through each states’ consumer data privacy laws to ensure that your business is compliant with these regulations. As a law firm with extensive experience in the industry, Klein Moynihan Turco is working to ensure that businesses are, and remain, compliant as data privacy laws continue to evolve. In order to make sense of the patchwork of state regulations, the best course of action is to reach out to an experienced data privacy attorney.
If you need assistance with Colorado data privacy compliance, please email us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: