Colorado is set to become the third state with a robust general privacy law, as legislatures consider and approve privacy legislation during their 2021 sessions. Virginia lawmakers passed comprehensive general privacy legislation earlier this year.
Connecticut lawmakers also approved two data protection and cybersecurity bills but fell one vote short of enacting an omnibus privacy law that would have mirrored California’s law.
The Colorado legislation, which was signed by Gov. Jared Polis in July and will take effect on July 1, 2023, is modeled after the California Consumer Privacy Act (CCPA), the California Privacy Rights Act, the Virginia Consumer Data Protection Act (VCDPA) and the European Union General Data Protection Regulation (GDPR), according to attorneys Eddie Holman and Amanda Irwin from law firm Wilson Sonsini Goodrich & Rosati.
The Colorado Privacy Act (ColoPA) prescribes data rights for consumers and duties for controllers and processors of data. “Similar to the VCDPA and the GDPR, it assigns controllers the responsibility of conducting data protection assessments” for certain activities, Holman and Irwin wrote. “ColoPA tracks more closely to the VCDPA with regard to its robust rights to opt out of the sale of personal data and opt out of the processing of personal data for targeted advertising and certain types of profiling, as well as its requirement to obtain consent before processing sensitive personal data.”
Similar to the Virginia law, ColoPA extends broad exemptions for financial institutions subject to HIPAA, along with exemptions for entities covered by the financial industry’s Gramm-Leach-Bliley Act and for state institutions of higher education. According to Holman and Irwin, the legislation also contains certain data-based exemptions, particularly around protected health information under HIPAA and health records under related law, as well as personal data regulated by the Fair Credit Report Act, the federal Driver’s Privacy Protection Act, the Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act.