Jul 8, 2021
On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy Act following Gov. Jared Polis, D-Colo., signing the bill. In passing the law, Colorado became the third U.S. state, following California in 2018 and Virginia earlier this year, to enact comprehensive privacy legislation.
As outlined by IAPP staff writer Joe Duball, the substance of the law is not particularly groundbreaking. Those who have reviewed the failed Washington Privacy Act and the Virginia Consumer Data Protection Act will find it familiar. Regarding the basic framework, the CPA followed the trend of adopting a WPA-like controller/processor approach rather than a California Consumer Privacy Act-like business/service provider distinction.
The scope of the CPA is reminiscent of the CDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:
The scope of the law is broader in some senses and narrower in others compared to the CCPA and is slightly broader than the CDPA. Unlike the CCPA, the CPA does not include any revenue thresholds. Thus, a business cannot become subject to the law merely due to its annual revenues. However, the CPA extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data. Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.