Colorado has joined the laundry list of states with state-specific consumer data privacy laws in the works.
Two state senators, Democrat Robert Rodriguez and Republican Paul Lundeen, introduced legislation around a comprehensive consumer privacy bill, the Colorado Privacy Act, or CPA (SB21-190) two weeks ago in the Colorado Senate.
It should probably come as little surprise that the bill mirrors legislation already on the books in other states, including California - the California Consumer Privacy Act, and Virginia - the recently passed Consumer Data Protection Act.
As the laws differ from state to state, companies in each state will want to remain cognizant of whether they need to comply with a consumer data privacy law and second, what each law requires of them.
Colorado's law, if passed, would apply to any data controller, anyone who "alone or jointly with others, determines the purposes and means of processing personal data" and processor, anyone who "processes personal data on behalf of a controller. "
Data controllers who conduct business or produce products targeted to Coloradans would have to comply with the law, as would any company that controls or processes personal data belonging to more than 100,000 consumers per year or makes money from selling the data of at least 25,000 consumers.
As is the case with similar consumer privacy laws - CCPA has a HIPAA-specific carve-out for entities that process healthcare data – Colorado’s law would exempt data covered under state and federal laws, like HIPAA, data under Substance Abuse Confidentiality Regulations, data under the Federal Policy for the Protection of Human Subjects, the Gramm-Leach-Bliley Act, and information gathered for employment.
If an organization is found in violation of the CPA, they'd be subject to an injunction and civil penalty of up to $2,000 for each violation – with no penalty cap. Unlike other states, under the current legislation, organizations wouldn't be given a grace period, essentially time to cure a violation before an action is brought against them.
As far as consumers go, like in California, under the Colorado legislation, they’d be able to opt out of having their personal data processed or sold, especially as it pertains to targeted advertising. They can also ask organizations to delete data on them, correct inaccurate data, and confirm whether organizations are in possession of their personal data in the first place.
Consumers hoping the legislation will grant a private right of action will be let down; if it moves forward, the CPA is slated to be enforced by the state's attorney general and district attorneys. This is mostly in line with Virginia’s law; California’s CCPA and the state’s forthcoming CPRA grants a limited private right of action for consumers.
While the bill is still in its infancy - it's been introduced and is still pending in the state's Business, Labor, & Technology committee – if it advances, it will be yet another data security imperative for organizations to comply with.
The bill joins similar bills in the works in Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio, and Washington, to name a few states.
Having a data protection plan, especially one that provides an organization with visibility and helps facilitates data security, can go a long way satisfying this and other changing laws.
