Skip to Content

State Data Privacy Legislation Update

on Thursday, 1 July 2021 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor


Earlier this month, Colorado joined California and Virginia as the third state to pass a comprehensive consumer data privacy bill.  The Colorado Privacy Act (“CPA”) is a broad privacy law that applies to entities that produce products or services targeted to Colorado residents that either (i) control or process personal data of more than 100,000 consumers per year; or (ii) sell personal data of at least 25,000 consumers.  The CPA exempts several entities and types of personal information governed under federal law, including protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm Leach-Bliley, and information regulated by the FCRA, COPPA, and FERPA.

The CPA provides consumers with rights for access, deletion, correction, portability, and the ability to opt out of targeted advertising, sales, and certain profiling decisions that have legal or similar effects.  

The CPA establishes duties for data controllers, including the duties of transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and duties regarding sensitive data.  These duties create related obligations, such as providing a privacy policy, establishing and implementing security practices to protect personal data, and obtaining consent prior to processing sensitive data or children’s data.  The privacy notice must include information related to: (i) the categories of personal data collected, processed, and/or shared with third parties; (ii) the purposes for processing such data; (iii) the categories of third parties with whom the controller shares personal data; (iv) how and where consumers may exercise their rights; and (v) whether the controller sells personal data or processes personal data for targeted advertising.

There is no private right of action, but the Colorado Attorney General’s office and state district attorneys will enforce the CPA, with the ability to fine violators up to $500,000.

The CPA is scheduled to take effect on July 1, 2023.


Last month we reported on Connecticut SB 893, which would have created a comprehensive privacy law similar to the CCPA – requiring transparency from companies with respect to their data collection and use, while providing consumers with a variety of privacy rights.  SB 893 made progress through the Connecticut legislature, but stalled in the Senate Appropriations Committee where it failed to advance prior to end of the legislative session on June 9.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500