Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) on July 7, 2021. The bill was signed into law after it passed in Colorado’s House and Senate a month earlier. The law will go into effect on July 1, 2023.

Colorado is the third state in the United States to pass comprehensive privacy legislation, following Virginia’s Consumer Data Protection Act (CDPA) in 2021, and California’s Privacy Rights Act (CPRA) in early 2021. Because there’s a lack of federal regulation concerning privacy, it’s a growing trend for states to build their own legislation.

The CPA is similar to the regulations set forth by Virginia and California — the main impact will be on businesses and organizations that deal with consumer data. In other states like Washington, Florida, and New York, there have been attempts to pass similar legislation, but they were unsuccessful. Data privacy can be a controversial topic.

Protecting consumer data is paramount in today’s digital economy, so it’s no surprise that states are taking a strong stance by passing these types of regulations.

Overview of the CPA

The main objective of the CPA is to protect personally identifiable information (PII) that controllers and processors of data have access to.

So, who does this law apply to? Any organization that conducts business in Colorado or creates commercial products or services that target citizens in Colorado that either: Controls or processes the data of over 100,000 consumers per year, or earns revenue from the sale of data and controls or processes personal data of 25,000 consumers.

There are some instances where data exemptions come into play. For example, data gathered by employers when people apply for jobs or anyone who acts as a beneficiary in an employment context is exempt from the law.

Another distinction in the law is that nonprofit organizations are not exempt if they meet specific criteria, which is a crucial difference from the Virginia and California laws. This may help nonprofits in their efforts to stop internal fraud, which makes up 9% of all fraud cases reported by certified fraud examiners.

In addition, consumers have specific rights under the new CPA, enhancing consumer protection and giving more control to the consumer.

What rights do consumers have?

The following are the specific rights granted to consumers regarding their personal information (PI): Consumers can opt-out of the processing of their PI; consumers can choose an authorized person to act on their behalf to opt-out of the processing of PI (if the purposes are for targeted advertising or sale of data); consumers have access to the data and whether or not it’s being processed; consumers can correct personal data; consumers can delete their personal data; consumers can ask for consent before the collection of PI.

Keep in mind that consumers cannot opt-out of the unnecessary or irrelevant collection of personal data under the CPA. It is only to be used when opting out of targeted advertising or selling their personal data.

What data is protected?

There are two categories of data defined under the law: personal information, and personally identifiable information. Below are some examples of PI that apply in combination with someone’s first and last name: Social Security number; driver’s license number; student, military, or passport ID; medical information; health insurance ID; any biometric data (fingerprints, retinal scans, iris recognition).

As for PII, there are some extra provisions to keep in mind: Passwords; passcodes; financial transaction devices; financial account numbers.

It’s clear that this law takes many types of data into account and protects the confidentiality of the consumer.

Controller and processor obligations

Businesses are limited in their ability to collect and process data, which also depends on the purpose for which they’re trying to collect data. Some of the responsibility’s businesses have to follow if they want to remain compliant with the CPA: Businesses must identify the purpose of their data collection and processing; businesses are required to collect data in limited, relevant, and reasonable circumstances; businesses cannot use PI or PII for purposes other than the specific purpose set forth earlier; businesses must take reasonable care to protect and safeguard the data they do collect; prevents businesses from using data to discriminate against a consumer under any other state or federal law; businesses cannot engage in any activity that could cause harm to consumers; processors must work under contracts and follow other legal obligations.

As you can see, there are specific rights afforded to consumers, and businesses must follow these requirements to comply with the CPA.

The future of data privacy

Much of the content outlined in this legislation is not necessarily groundbreaking, but it offers just another safeguard for consumers and their PI and PII. Consumers can better understand how exposed their data is and be educated about their opt-out mechanism. Data privacy will continue to be an emerging trend within state legislatures.