GDPR Compliance in the U.S.: What to Know
In 1992, Singapore banned the sale of all chewing gum. But if you...Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Don’t let data privacy compliance get in the way of growth
Preserve your competitive edge
Manage data privacy at scale
Expert insights on all things privacy
Subscribe and become a Privacy Insider
Research the most essential privacy topics
We'll scan your website for privacy risk at no cost
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
No fines, no penalties
Add Osano data privacy ratings and recommendations to your application
Fresh duds for data privacy fans
June 11, 2021
This week, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California's two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia's recently passed Consumer Data Protection Act (CDPA). It even borrows some terms and ideas from the EU's General Data Protection Regulation.
While there are similarities, such as some form of a right to opt-out, special protections for sensitive data and the adoption of some privacy-by-design principles, the significant differences are in the details. That's according to Kirk Nahra, a longtime privacy attorney and co-chair at Wilmer Hale.
The CCPA (California), CPRA (California) and CPA (Colorado) define "sensitive data" differently, for example. "Companies will need to take into account these details to reach compliance," Nahra said.
The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
The CPA lists five rights granted to Colorado residents once the law becomes effective. They are:
The law includes exemptions for a broad range of purposes.
"Small businesses definitely are treated differently than larger businesses," said Nahra. "In fact, like the laws in Virginia and California, many small businesses are exempted entirely ... These exemptions are a big part of this law."
Calli Schroeder, global privacy counsel at EPIC, said the bill has some good elements, but there are places it needs improvement. Specifically with some of the other exemptions.
"The list of exemptions is long – exemptions for air carriers, exemptions for employment records, exemptions for information held by higher education or the state, and exemptions for customer data of public utilities (which includes common carriers/telecommunications companies)."
There are 17 blanket exemptions within the law, noted Amie Stepanovich, executive director of Silicon Flatirons at Colorado University Law School. Those include:
In part because of the long list of exemptions, Stephanovich said the bill contains "some good stuff," but "I really don't think this is the gold standard, and I hope we keep seeing better from other states."
Where privacy advocates and others are more fond of the CPA are the requirements that data controllers:
However, Schroeder would like to see the requirement on data protection impact assessments include transparency provisions.
"Mandating data protection assessments for high-risk activities is an excellent step, but they are not allowed to be made public, which hampers real accountability," she said.
Privacy advocates also broadly welcome the law's call for global privacy control, a mechanism that would allow Colorado residents to opt-out of data processing by any website. California's privacy laws, the CCPA and the CPRA, also call for a universal opt-out mechanism.
It's a trend that could continue in forthcoming state legislation. Schroeder said that's important because, "It is unrealistic to expect that internet users are going to take multiple steps to separately opt-out of data disclosure on every website they visit. Global opt-out mechanisms will simplify the opt-out process but are only effective if enforceable."
The Colorado Attorney General's Office will enforce the CPA, which differs from California's latest privacy law, the CPRA. There, a newly established privacy protection agency will issue guidance and enforce.
But unlike California's laws, there is not a private right of action within the CPA. A private right of action allows consumers to file a lawsuit under certain circumstances, such as a breach of personal information.
"This has been a sticking point for advocacy groups," said Nahra. "It was one of the major points of contention that effectively ended any chance of the Washington Privacy Act making it out of the legislature this year and has also been an issue in the national privacy debate in Congress. It will be interesting to see if other states are willing to pass a privacy law without a private right of action, under the notion that some privacy protections are better than no law at all."
Some see this is as a mistake, arguing that companies won't take their obligations seriously if there isn't the looming threat of a lawsuit in cases of noncompliance.
"Without giving individuals the ability to vindicate their rights, companies will assume there is a low risk of enforcement, and the effort that went into enacting a privacy law will be wasted," Schroeder said.
Nahra said companies that already are complying with California or Virginia have a head start.
"If you believe that you are subject to the Colorado law, the first step overall is data mapping," he said. "Understanding what data you collect, where it comes from and who it belongs to will help companies understand their relevant legal obligations, not only under the Colorado Privacy Act, but also under the California Privacy Rights Act and Virginia's Consumer Data Protection Act."
In the end, Schroeder agreed with Stepanovich that the bill does some good, but more is needed.
"While there are some important provisions in the bill that will provide privacy protections, the Colorado law is far from what states need to be doing in order to change the business practices that are eroding individual privacy and harming our communities," she said.
Writer at Osano
Writer at Osano
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!