Colorado Passes Consumer Privacy Legislation
Colorado last week became the third U.S. state to enact a consumer privacy law, following California and Virginia. Colorado Gov. Jared Polis signed the Colorado Privacy Act (CPA) into law after the state legislature passed the bill overwhelmingly last month. The new law takes full effect July 1, 2023.
The Colorado law allows consumers to opt out of the sale of their personal data, obtain a copy of any data companies have about them, and to access, correct, or delete the data, It also bans companies from processing data in a way that would violate state or federal anti-discrimination laws. Companies will also need to provide privacy policy disclosures and create data protection assessments for certain types of processing activities.
The CPA applies to any company that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado.
The Colorado law closely mirrors the California Consumer Privacy Act ((CCPA), which was signed into law in June 2018, and the Virgina Consumer Data Protection Act (CDPA), which was signed into law in March. Still, most would prefer to see a federal law similar to the European Union's General Data Protection Regulation, which passed in 2016 and took effect across much of Europe in 2018.
"While it's a positive step forward for ensuring there is a single set of rules and regulations to protect consumers identities, the most concerning part of the bill is the absence of the private right to action and the exemptions, especially non-profits," says Charles Farina, head of innovation at Adswerve. "The CPA includes greater fines per violation, but without an overarching federal privacy law, there remain loopholes for gathering first-party data and continued doubt from consumers about the safety of their data."
Farina cited recent Adswerve research that found that 76 percent of respondents said they should have total control over their personal data, 69 percent said the ability to control who can collect personal information and online activity, how it is used, and for what purpose is "extremely important," and 67 percent said companies should be held financially responsible for misusing or losing personal data.
The results, he says, signal "the high consumer demand for updated privacy regulations. Legislation like CPA is a step in the right direction, but signals that there is still more work to be done to ensure a transparent exchange of data between consumers and businesses."