Support Centre

Colorado

Summary

Law: The Colorado Privacy Act ('CPA')

Regulator: The Colorado Attorney General ('AG')

Summary: The Colorado Privacy Act (CPA) came into effect on July 1, 2023, making Colorado the third US state to pass its own privacy law. The CPA provides for several privacy rights, including the right to opt out of the processing of personal data, the right to access, correction, and deletion of personal data, and the right to obtain a portable copy of the data. The CPA also imposes obligations on data controllers such as purpose specification, data minimization, and the use of sensitive data, among other requirements. In addition, the CPA requires data controllers to conduct assessments when processing personal data in activities that present a heightened risk to consumers and assigns enforcement powers to the Colorado Attorney General (AG) and District Attorneys.

In addition to the CPA, House Bill 18-1128 for an Act Concerning Strengthening Protections for Consumer Data Privacy (the Act) was signed into law and entered into force on May 29, 2018. The Act amends § 6-1-713 of the Colorado Revised Statutes and concerns, among other things, the disposal of personal identifying information by requiring a written policy to be developed for the destruction or proper disposal of such documents. The Colorado Revised Statutes, as amended by the Act, set out the breach notification requirements, including stipulating the content and time frame for notices to be sent to the AG.

You can follow legislative developments in the US through the USA State Law Tracker.

Insights

Colorado became the first state to adopt a comprehensive AI framework when Governor Polis signed Senate Bill 205. The law, unlike the EU Artificial Intelligence Act (AI Act), does not ban certain uses of artificial intelligence (AI). Instead, Colorado focused on accountability; the law adds guardrails designed to prevent discrimination from certain high-risk AI uses and imposes transparency obligations for companies that use or create those tools. But it is not all bad news for companies navigating this fluid field: the law is delayed until February 2026, it is enforced exclusively by the Attorney General (AG), and there are strong safe harbors (both rebuttable presumptions and an affirmative defense). And, if Governor Polis' wishes are heeded, the framework will undergo significant revisions before it takes effect.

The law primarily regulates activities concerning high-risk AI systems, but there is also a transparency obligation for companies using any AI system to interact with consumers. The law applies to a company that does business in Colorado and either creates/modifies a high-risk AI system (developer) or uses such a system (deployer). Most of the obligations apply even if the AI system is not used in Colorado. So, companies cannot avoid the law merely by refusing to sell high-risk AI systems to Colorado companies or refraining from using such systems in the state.

In this Insight article, Camila Tobón and Josh Hansen, from Shook, Hardy & Bacon, provide an overview of the law (including the momentum, already, to change it), compare it to existing AI laws, and conclude with some open questions about the law's impact.

In this Insight article, John Romano and Jessie Adamson, from Baker Tilly, delve into Colorado's recent regulatory developments, specifically focusing on life insurers' utilization of Big Data, external consumer information, algorithms, and predictive models.

On 15 March 2023, the Colorado Attorney General's ('AG') Office announced it had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State. The CPA Rules will go into effect on 1 July 2023 - the same date the Colorado Privacy Act ('CPA') goes into effect.

The CPA Rules both operationalise the CPA and create additional compliance obligations for controllers, including in the areas of privacy notices, processing purposes, secondary uses, data minimisation, the processing of sensitive data inferences, Data Protection Assessments ('DPAs'), and profiling. David Stauss, Partner at Husch Blackwell LLP, identifies and discusses those areas and provides key takeaways for controllers that must comply with the CPA.

In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended'). Other states are adopting similar legislation: on 7 July 2021, the Colorado Governor, Jared Polis, signed Senate Bill 21-190 for the Colorado Privacy Act1 ('CPA') into law.

Lothar Determann, Helena Engfeldt, Jonathan Tam, and Tom Tysowksy, from Baker & McKenzie LLP, draw comparisons between the CPA and the CPPA as amended, focusing on who and what data is protected, compliance, and enforcement.

The Colorado Attorney General ('AG') announced, on 15 March 2023, that they had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State's Office. In particular, the CPA Rules implement the Colorado Privacy Act ('CPA') and expand on privacy requirements, including consumer requests, data protection assessments, profiling, and the universal opt-out mechanism, among other things.

In this Insight article, OneTrust DataGuidance Research provides an overview of the finalised version of the CPA Rules, highlighting key requirements introduced by the same.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

The Colorado Senate re-passed, on 8 June 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy ('CPA'), following their consideration of amendments made to SB 21-190 by the Colorado House of Representatives.

On 7 June 2021, the bill was signed by the Governor. The CPA will enter into effect on 1 July 2023.

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.