News & Resources

Publications & Media

Colorado (Officially) Joins the Data Privacy Fray: Colorado Privacy Act Signed into Law

Data Privacy & Security Linda C. Emery, Heather L. Buchta

Colorado’s Governor Jared Polis signed the Colorado Privacy Act this week, making Colorado the third state to implement broad consumer data privacy protections. The Colorado Privacy Act (CPA), which Governor Polis signed on July 7, 2021, comes on the heels of the Virginia Consumer Data Protection Act earlier this year and the California Privacy Rights Act passed in the November 2020 election. Get ready to update your privacy policies and practices again!

However, when signing the CPA into law, the Governor issued an accompanying statement which was not a sweeping endorsement of the CPA. Governor Polis recognized the concerns and struggles in balancing technical innovations and a welcoming business environment on the one hand, and consumer protection on the other hand. Governor Polis immediately called for the continuation of negotiations on “clean-up legislation”. He noted that industry, consumers and legislators are actively continuing their work in that regard and urged the parties to strike the right balance between business and consumers.

The CPA is effective in July of 2023, which allows time to prepare, particularly since Colorado’s law follows a number of the trends set by Virginia and California. Notwithstanding those similarities, the Colorado law has some unique characteristics to keep an eye on:

- First, it expressly contemplates that by July of 2024 websites will need to recognize and honor “user-selected universal opt-out” mechanisms that meet the technical specifications to be established by the Colorado Attorney General by July of 2023. California tried a similar initiative over a decade ago and couldn’t find industry agreement on the technology sufficient to make such a universal tag feasible. It remains to be seen whether technological developments in the intervening time provide for more options.

- Second, it applies to business that produces or delivers commercial products or services that are intentionally targeted to Colorado residents, and either (1) controls/processes data of 100,000 or more consumers, or (2) derives any revenue or discounts from the “sale” of personal data of 25,000 or more consumers. For companies relying on a specific percentage of revenue derived from sales of data, there is no minimum threshold in Colorado.

- Third, it does not expressly exclude non-profit organizations. However, it does limit its application to business that produces or delivers “commercial” products or services. “Commercial” is not defined, however, which may require some non-profits to evaluate their business models and offerings.

- Fourth, it requires processors to give controllers notice of all subcontractors and an opportunity to object, which goes a step further than either Virginia or California have yet to go, inching closer to an EU-style notice with respect to subprocessors.

- Finally, there is a 60-day cure period for any violations of the CPA, but that cure period is repealed on January 1, 2025. Companies will need to implement CPA compliance before 2023 and use 2023 and 2024 to work the kinks out of their privacy compliance programs. The ease with which that task may be accomplished, however, will in large part depend on any other challenges presented by other States stepping into this space in that timeframe and creating potential complications with CPA compliance.

For now, 2023 seems to be the target date for the next round of updated data privacy compliance. Time to make haste while the sun shines….

For guidance and advice on implementing changes to your data privacy programs in light of changing state laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your current Quarles & Brady counsel or: