On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act ("CPA") into law. Until a federal law addressing consumer data privacy is passed, we will continue to see additional state laws that address data privacy. Prior to Colorado passing its law, both California and Virginia had passed comprehensive data privacy legislation. The California Consumer Privacy Act ("CCPA") prompted other states to contemplate how businesses should protect consumer personal data. Virginia followed with the Consumer Data Protection Act ("CDPA").  The Colorado Privacy law draws from both the CCPA and the CDPA. Businesses have until July 1, 2023, to comply with the regulations set forth in the CPA.

What are the similarities and differences between the CCPA and CPA?

Colorado Privacy Regulations v. California Privacy Regulations

The first step businesses should take when reviewing state consumer data privacy laws is to determine whether the state law even applies to them. The CPA and CCPA have different applicability criteria. The CPA applies to anyone that "conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado" and: 1) controls or processes the personal data of at least 100,000 consumers or more during a calendar year; OR 2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. In comparison, the CCPA includes a threshold for businesses that have annual gross revenue of over $25 million in total, globally (regardless of where the revenue is derived from). Additionally, the CCPA applies to businesses that buy, receive, sell or share personal information of 50,000 or more California consumers, or derive 50% or more of annual revenue from selling consumer personal information. As such, the scope of the CPA is broader than that of the CCPA insofar as the CPA does not have a revenue threshold.

Similar to the CCPA, the Colorado privacy law establishes certain data privacy rights for consumers. Rights included in both laws are: 1) the right to opt out of the processing of personal data; 2) the right to access and delete personal information; and 3) the right to be informed of data collection. The CPA affords additional rights, including the right to correct personal data and the right to opt out of behavioral advertising. Please note, however, that the CCPA will also include the aforementioned rights when the California Privacy Rights Act ("CPRA") amendments to the CCPA take effect on January 1, 2023.

CPA Enforcement

Unlike the CCPA, the CPA does not contemplate a private right of action. The CCPA contains a limited private right of action where California resident "nonencrypted and nonredacted personal information" is subject to theft or disclosure because of a failure to maintain reasonable security measures. CPA enforcement is left to the Colorado Attorney General's Office and the respective district attorney offices of Colorado, whereas California vests enforcement authority solely in the California State Attorney General. Both statutes require the state to provide businesses with notices to cure any alleged violations prior to taking enforcement action. Colorado affords sixty (60) days to cure, and California thirty (30) days. Pursuant to the CPA, Colorado will be able to issue far stiffer penalties than California. Where civil penalties in California can range from $2,500 for non-intentional CCPA violations and up to $7,500 for intentional violations, a violation of the CPA is classified as a deceptive trade practice and could result in a fine of up to $20,000 per violation.

Similar to the roll out of the CCPA, the State of Colorado will have time to adopt rules relating to CPA technical specifications for universal op-out mechanisms. We will look out for the release of any new CPA regulations and update our readers accordingly.

Finally, for quick reference, please see the comparison chart below.

 

CPA

CCPA

CPRA

Effective Date

July 1, 2023

Jan. 1, 2020

Jan. 1, 2023

Right of Access

Yes

Yes

Yes

Right to Opt-Out

Yes

Yes

Yes

Right to Delete

Yes

Yes

Yes

Right to Correction

Yes

 No

Yes

Private Right of Action

 No

For security violations only

For security violations only



Similar Blog Posts:

How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer

I Received a CCPA Enforcement Notice! How Do I Respond?

CCPA Record Keeping Requirements

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.