Colorado

Subscribe to Colorado
State Privacy Guide_widget_300x196-04

Keypoint: The CPRA requires that businesses use certain types of sensitive personal information only for limited purposes, otherwise they must notify consumers of the additional purposes and provide consumers the opportunity to opt-out of such processing, while the VCDPA and CPA require controllers to obtain consumer consent and conduct data processing assessments prior to processing sensitive data. 

This is the fourth article in our ten-part weekly series comparing key provision of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat sensitive personal information. The CPRA has a broad definition of sensitive personal information although, to be subject to the law’s limitations, a business must collect or process that information for the “purpose of inferring characteristics about a consumer.” If so, the CPRA grants consumers the right to limit a business’s processing of such data to certain purposes specified in the law. Conversely, the VCDPA and CPA define sensitive data differently than the CPRA and require controllers to obtain consumer consent and conduct a data processing assessment prior to processing such information.

Below is an analysis of this topic.

Continue Reading How do the CPRA, CPA & VCDPA treat sensitive personal information?

State Privacy Guide_widget_300x196-03

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

Continue Reading How do the CPRA, CPA & VCDPA approach data protection assessments?

State Privacy Guide_widget_300x196-02

Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.

This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.

Below is an analysis of this issue.

Continue Reading How do the CPRA, CPA & VCDPA treat biometric information?

Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.

Continue Reading Colorado AG to Engage in Robust Colorado Privacy Act Rulemaking

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

Continue Reading How do the CPRA, CPA & VCDPA treat publicly available information?

Keypoint: On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act into law, making Colorado the third state to pass broad consumer privacy legislation.

On July 7, 2021, Colorado officially became the third state to pass broad consumer privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law.

Keypoint: This week the Colorado legislature passed the Colorado Privacy Act.

Below is our sixteenth weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we need to make a few announcements.

This will be our last weekly update – for now. With the legislatures in so many states having adjourned for the year and the bills in the remaining states not moving forward, we will be pausing our weekly updates. Rest assured, we will be back when things heat up again.

Even though we are pausing our weekly updates, we are not slowing down our work on state consumer privacy legislation.

On June 15, we will be hosting a webinar on the Colorado Privacy Act. Click here to register.

Starting Monday, June 21, we will be releasing a limited podcast series with interviews of state lawmakers who spearheaded privacy legislation in 2021. If you want to know the inside story on how these bills are drafted and lobbied, you will not want to miss these interviews.

Finally, if you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of June 14, 2021

Keypoint: Once signed by the Governor, Colorado will become the third state to pass broad consumer privacy legislation.

On June 8, 2021, the Colorado legislature officially passed the Colorado Privacy Act with the Senate voting unanimously to adopt the House amendments to the bill. Once signed by the Governor, Colorado will become just the third

Keypoint: The bill will now return to the Senate to accept or reject the House amendments.

On the night of June 7, 2021, the Colorado House voted 57-7 to pass the Colorado Privacy Act (CPA). As we previously reported, the Colorado Senate unanimously passed the CPA on May 26. Because the House amended the Senate version of the CPA, the bill will now return to the Senate for it to accept the amendments, reject the amendments, or reject the amendments and ask for a conference committee.

Continue Reading Colorado House Passes Colorado Privacy Act

Keypoint: This week the Colorado legislature continued to advance the Colorado Privacy Act, and the Nevada Governor signed into law a bill that will broaden the state’s pre-existing right to opt out of sales as of October 1, 2021.

Below is our fifteenth weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide two reminders.

First, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of June 7, 2021