On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy Act following Gov. Jared Polis, D-Colo., signing the bill. In passing the law, Colorado became the third U.S. state, following California in 2018 and Virginia earlier this year, to enact comprehensive privacy legislation.
As outlined by IAPP staff writer Joe Duball, the substance of the law is not particularly groundbreaking. Those who have reviewed the failed Washington Privacy Act and the Virginia Consumer Data Protection Act will find it familiar. Regarding the basic framework, the CPA followed the trend of adopting a WPA-like controller/processor approach rather than a California Consumer Privacy Act-like business/service provider distinction.
The scope of the CPA is reminiscent of the CDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:
- “Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”
The scope of the law is broader in some senses and narrower in others compared to the CCPA and is slightly broader than the CDPA. Unlike the CCPA, the CPA does not include any revenue thresholds. Thus, a business cannot become subject to the law merely due to its annual revenues. However, the CPA extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data. Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.