Colorado’s governor, Jared Polis, signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021.  

Colorado joins California and Virginia as the third state with a comprehensive privacy law in the United States. 

CPA adds nuance and complexity to the growing patchwork of US data protection requirements. We will follow-up with more discussion on how this impacts your business in the lead-up to the law’s effective date (July 1, 2023).   Here are a few key highlights:

Who Is Protected?

CPA regulates Colorado residents in their individual or household capacity.  It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).  

Who Is Regulated?

CPA regulates “controllers” that conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents (“consumers”) and meet one of two thresholds: (1) controls or processes personal data of at least 100,000 consumers or (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers. 

CPA does not apply to state agencies or political subdivisions of Colorado, entities or data subject to GLBA, higher education institutions and data collected by covered entities or business associates governed by HIPAA. 

What Changes Are Needed in Contracts?

The CPA requires controllers to include a list of provisions in their contracts with processors, including, but not limited to, requiring the processor to allow for audit and inspections and that its’ employees involved in the processing of data are subject to a duty of confidentiality.

How Will CPA Be Enforced?

CPA does not include a private right of action.  CPA may be enforced by the Colorado Attorney General’s Office and District Attorneys.  The AG and DAs will have authority to ask a court to enjoin businesses whose actions in violation of the CPA.  For the first two years of the law, entities will have a 60-day notice and cure period to remedy any violations of the law before the AG or DAs can initiate an enforcement action. This cure period will be automatically repealed on January 1, 2025.

Stay tuned as Womble Bond Dickinson's Privacy and Cybersecurity Team provides more updates in the weeks to come.