Colorado Governor Signs Comprehensive Data Privacy Bill — How Does It Compare to California and Virginia?

On July 7, Governor Jared Polis signed Colorado’s comprehensive data privacy bill (SB 21-190) into law. The Colorado Privacy Act (CPA) will go into effect on January 1, 2023, making Colorado the third state to enact a comprehensive data privacy law.

As we previously explained, the CPA is very similar to the California Privacy Rights Act of 2020 (CPRA), which amended the California Consumer Privacy Act of 2018 (CCPA), and the recently enacted Virginia Consumer Data Protection Act (VCDPA). A few provisions unique to the CPA include:

• Rulemaking. Under the CPA, the attorney general has broad rule-making authority, similar to the CCPA/CPRA, but unlike the VCDPA.

• Consumer’s Rights. Under the CPA, an authorized agent can only submit a request on behalf of a consumer for the right to opt out of the sale of the consumer’s data. This differs slightly from the CCPA, which permits an authorized agent to submit any request on behalf of the consumer.

• Opt-Out Requests. Under the CPA, consumers must be able to opt out of the sale or sharing of personal data for the purposes of targeted advertising through a user-selected “universal opt-out mechanism” (i.e., a consumer must be able to click one button to exercise all opt-out rights), which meets technical specifications that the attorney general must establish by July 1, 2023. This differs from the CCPA, which makes a universal or global control optional.

• Enforcement. Under the CPA, enforcement falls on both the attorney general and district attorneys. This differs slightly from the CCPA and VCDPA, which currently only permit enforcement by the attorney general and, in limited circumstances, by private right of action under the CCPA for data breach-related claims. The CPRA, which amends the CCPA, also creates a separate enforcement authority.

• Right to Cure. Under the CPA, the controller has 60 days to cure a violation after the attorney general or district attorney provides notice. The CCPA and VCDPA only provide 30 days to cure.

  • Critically, unlike the CCPA or VCDPA, the CPA’s right-to-cure provision expires on January 1, 2025.

• Exemptions. Under the CPA, certain health information is exempt, including protected health information as defined by HIPAA. However, no entity-wide exemption exists for covered entities and business associates as defined by HIPAA. This is dissimilar to the VCDPA (but similar to the CCPA/CPRA), which provides entity-wide exemptions.

To further assist your review of your privacy program, below find a high-level comparison of the CPA’s key requirements and consumer rights to the CCPA, CPRA, and VCDPA.