Colorado joins the bandwagon, enacts comprehensive privacy law

Excerpted from a LewisRice blog by Billee Elliott McAuliffe, Alfred J. Ludwig and Melissa G. Powers

The year 2023 is proving to be an important year in the privacy world. Colorado recently joined an expanding list of states to have enacted comprehensive privacy laws.

Colorado’s law, known as the Colorado Privacy Act, or ColoPA for short, will take effect on July 1, 2023, only six months after the Virginia Consumer Data Protection Act (VA CDPA) and the California Privacy Rights Act (CPRA) take effect on January 1, 2023.

ColoPA offers many similarities to these laws, as well as to existing comprehensive privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA) and the EU’s General Data Protection Regulation (GDPR). Below is a summary of the key provisions of ColoPA and how it stacks up against other comprehensive privacy laws.

Applicability
ColoPA applies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that meet one or both of the following thresholds:

1. Control or process personal data or more than 100,000 consumers per calendar year; or
2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data or at least 25,000 consumers.

ColoPA’s applicability thresholds are somewhat unique. For example, there is no threshold based solely on an entity’s gross revenue amount like under the CCPA. Rather, both thresholds are tied to personal data. While ColoPA’s applicability thresholds are similar to those in the VA CDPA, ColoPA’s second threshold is broader, encompassing receipt of discounts as well as any derivation of revenue from the sale of personal data, as opposed to VA CDPA’s threshold requiring derivation of 50% of gross revenue from the sale of personal data and not accounting for receipt of discounts.

ColoPA does not apply to (i) personal data governed by certain state and federal laws, such as HIPPA, HITECH, the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act (GLBA); (ii) state or local governments, provided the data is only used for noncommercial purposes; or (iii) personal data maintained for employment records.

Additionally, like the VA CDPA, ColoPA expressly does not restrict a business’s ability to provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract.

Key Definitions
ColoPA defines “consumer” to mean a natural person who is a Colorado resident acting only in an individual or household context in providing personal data, which is analogous to the VA CDPA’s definition of consumer. ColoPA’s definition of consumer is narrower than the comparable definitions used in the CCPA and the GDPR, and specifically excludes an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of something acting in an employment context.

Under ColoPA “personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publically available information. Like the GDPR, CPRA, and VA CDPA, ColoPA also offers specific protections to “sensitive data”, which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; or (iii) personal data of a known child (13 years old or younger).

For the full story, click here.