This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

New Twists Coming to US Privacy Laws, Courtesy of Colorado's Comprehensive Privacy Legislation

This summer, Colorado will join the growing list of U.S. states that have comprehensive privacy legislation in effect. Although largely consistent with other existing laws in California and Virginia and pending laws in multiple other states, the Colorado Privacy Act (CPA) has some unique features that set it apart from other state privacy laws. For example, the law applies not only to for-profit companies but also to nonprofit organizations. In addition, the CPA requires affirmative consent to process "sensitive data" such as health or financial data. This is a higher standard than many other state privacy laws, which only require opt-out consent for sensitive data. Starting in July 2024, the law will require recognition of a universal privacy opt-out such as Global Privacy Control. Finally, the CPA explicitly delegated enforcement authority to the state attorney general, which has issued compliance regulations that require data privacy impact assessments and expanded disclosure requirements for consumer loyalty programs.  

Why It Matters

The CPA takes effect on July 1, 2023, and will increase the stakes for privacy compliance. Companies that already have a privacy program designed to comply with California laws may still have to review their privacy policy and back-end processes to be sure they have the right measures in place, and some non-profits will have to address privacy concerns for the first time. The law will have a 60-day cure period for the first year, which should help covered companies and non-profits work out any kinks in their operations. After that, violations can carry penalties of up to $20,000 per violation.  

In June 2021, Colorado became the third U.S. state to enact comprehensive legislation requiring companies to give consumers the ability to access, correct, delete and opt out of the sale of their personal information or processing of this data for targeted advertising and profiling purposes. While seven other states have since added their own laws to the patchwork, the Colorado Privacy Act remains a standout in several respects, including its unique application to nonprofits, its strict consent requirements for sensitive data and its mandate that the state's attorney general create specific regulations for the law.

Tags

data security and privacy, hill_mitzi, insights