State Data Privacy Legislation Update
Earlier this month, Colorado joined California and Virginia as the third state to pass a comprehensive consumer data privacy bill. The Colorado Privacy Act (“CPA”) is a broad privacy law that applies to entities that produce products or services targeted to Colorado residents that either (i) control or process personal data of more than 100,000 consumers per year; or (ii) sell personal data of at least 25,000 consumers. The CPA exempts several entities and types of personal information governed under federal law, including protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm Leach-Bliley, and information regulated by the FCRA, COPPA, and FERPA.
The CPA provides consumers with rights for access, deletion, correction, portability, and the ability to opt out of targeted advertising, sales, and certain profiling decisions that have legal or similar effects.
There is no private right of action, but the Colorado Attorney General’s office and state district attorneys will enforce the CPA, with the ability to fine violators up to $500,000.
The CPA is scheduled to take effect on July 1, 2023.
Last month we reported on Connecticut SB 893, which would have created a comprehensive privacy law similar to the CCPA – requiring transparency from companies with respect to their data collection and use, while providing consumers with a variety of privacy rights. SB 893 made progress through the Connecticut legislature, but stalled in the Senate Appropriations Committee where it failed to advance prior to end of the legislative session on June 9.