On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. Until a federal law addressing consumer data privacy is passed, we will continue to see additional state laws that address data privacy. Prior to Colorado passing its law, both California and Virginia had passed comprehensive data privacy legislation. The California Consumer Privacy Act (“CCPA”) prompted other states to contemplate how businesses should protect consumer personal data. Virginia followed with the Consumer Data Protection Act (“CDPA”). The Colorado Privacy law draws from both the CCPA and the CDPA. Businesses have until July 1, 2023, to comply with the regulations set forth in the CPA.
What are the similarities and differences between the CCPA and CPA?
Colorado Privacy Regulations v. California Privacy Regulations
The first step businesses should take when reviewing state consumer data privacy laws is to determine whether the state law even applies to them. The CPA and CCPA have different applicability criteria. The CPA applies to anyone that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and: 1) controls or processes the personal data of at least 100,000 consumers or more during a calendar year; OR 2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. In comparison, the CCPA includes a threshold for businesses that have annual gross revenue of over $25 million in total, globally (regardless of where the revenue is derived from). Additionally, the CCPA applies to businesses that buy, receive, sell or share personal information of 50,000 or more California consumers, or derive 50% or more of annual revenue from selling consumer personal information. As such, the scope of the CPA is broader than that of the CCPA insofar as the CPA does not have a revenue threshold.
Similar to the CCPA, the Colorado privacy law establishes certain data privacy rights for consumers. Rights included in both laws are: 1) the right to opt out of the processing of personal data; 2) the right to access and delete personal information; and 3) the right to be informed of data collection. The CPA affords additional rights, including the right to correct personal data and the right to opt out of behavioral advertising. Please note, however, that the CCPA will also include the aforementioned rights when the California Privacy Rights Act (“CPRA”) amendments to the CCPA take effect on January 1, 2023.
Unlike the CCPA, the CPA does not contemplate a private right of action. The CCPA contains a limited private right of action where California resident “nonencrypted and nonredacted personal information” is subject to theft or disclosure because of a failure to maintain reasonable security measures. CPA enforcement is left to the Colorado Attorney General’s Office and the respective district attorney offices of Colorado, whereas California vests enforcement authority solely in the California State Attorney General. Both statutes require the state to provide businesses with notices to cure any alleged violations prior to taking enforcement action. Colorado affords sixty (60) days to cure, and California thirty (30) days. Pursuant to the CPA, Colorado will be able to issue far stiffer penalties than California. Where civil penalties in California can range from $2,500 for non-intentional CCPA violations and up to $7,500 for intentional violations, a violation of the CPA is classified as a deceptive trade practice and could result in a fine of up to $20,000 per violation.
Similar to the roll out of the CCPA, the State of Colorado will have time to adopt rules relating to CPA technical specifications for universal op-out mechanisms. We will look out for the release of any new CPA regulations and update our readers accordingly.
Finally, for quick reference, please see the comparison chart below.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.