Meet The Colorado Privacy Act: An Intro To CPA Compliance

Colorado joins the ranks of California and Virginia in passing comprehensive consumer privacy legislation. Here’s how the latest privacy law stacks up to other frameworks, and what it could teach us about the future of American privacy regulation.

Privacy Protections for the Centennial State

On July 7, Colorado’s governor signed the Colorado Privacy Act (CPA) into law, which codifies data privacy rights for the state’s almost 6 million residents. The CPA takes effect on July 1, 2023.

Looking at a national scale, the CPA is grounded in the general business obligations and user provisions articulated in recent legislation from California and Virginia. However, its additions are significant and could shape expectations for other jurisdictions’ privacy legislation in the future.

Here is a brief rundown of the CPA’s distinctions from California’s CCPA and Virginia’s CDPA. (If the acronyms are causing some understandable confusion, bookmark our regularly-updated Data Privacy Acronyms List.)

CPA Applicability

The CPA aligns with the CDPA on applicability. Both laws apply to businesses that either

1. Collect and store over 100,000 users’ data, or
2. Earn revenue from data of more than 25,000 users.

This classification contrasts with the CCPA, which establishes three bases, each of which is enough to put a company in the CCPA’s scope:

• The business has a gross annual revenue exceeding $25 million;
• The business receives or buys/sells personal data of 50,000 users, households, or devices; or
• The business earns at least half of their annual revenue from data sales

CPA and Dark Patterns

Dark patterns—misleading design elements that can manipulate users’ digital choices —have been making the press rounds lately. For instance, an FTC workshop in April focused specifically on dark patterns, and Ethyca led an interactive session on the topic in June. The CPA joins California’s upcoming CPRA in explicitly calling out and prohibiting dark patterns in its original text. In early 2021, California’s Attorney General modified the CCPA to also include a prohibition on dark patterns.

Zooming in on the reference to dark patterns in the CPA, it comes up in relation to user consent. Namely, obtaining a user’s agreement through a dark pattern does not constitute consent under the CPA. Given the rising expectations for privacy UX, teams would benefit from reading up on dark patterns to ensure their practices are not—even inadvertently—dark patterns. Check out this list of dark patterns to make any needed UX improvements now, before the CPA goes into effect.

The CPA’s Universal Opt-Out Mechanism and Data Subject Rights

The CPA will provide users with a one-click means of opting out of personal data sales and targeted advertising. For companies, CPA compliance will require the implementation of a conspicuous and easy-to-use feature for users to opt out of these activities. Leading up to the law’s effective date of July 1, 2023, Colorado’s Attorney General will issue rules related to the opt-out mechanism’s technical specifications. In the meantime, companies should review how they are currently requesting and implementing users’ consent choices. As with CCPA compliance, a simple cookie banner won’t cover the deep data flows that the CPA governs.

Like Virginia’s CDPA and California’s upcoming CPRA, the CPA also provides end-users with a suite of rights that include access, correction, and deletion.

CPA and Data Protection Assessments

With respect to data protection assessments, the CPA has a broader requirement than the CDPA does. Appearing for the first time in US privacy law in the CDPA, a data protection assessment is a company’s analysis of risk in its data processing activities. The high-level rationale for data protection assessments is that companies must make informed decisions prior to performing their processing activities, especially when the nature of the processing or the sensitivity of the data could pose real risks to users. The CDPA exempts companies from conducting these assessments if they are already making similar assessments for compliance with other laws. The CPA, on the other hand, provides no such exemption. The upshot is that companies with users in Colorado must be prepared to comprehensively and specifically assess privacy risk in their data processing activities, even if they already conduct similar assessments.

CPA Enforcement: No Private Right of Action

Consistent with the CDPA, the CPA relies on authorities like the Attorney General’s office for enforcement. It lacks a private right of action, so individuals cannot sue companies for violation. The CCPA carves out very specific circumstances for Californians to file lawsuits, but it generally aligns with the delegation of enforcement to state authorities. The lack of a private right of action and explicit support from the Attorney General’s office likely played key roles in the CPA’s successful passage. Business lobbyists frequently cite a private right of action as a blocker for companies.

A View To The National Landscape

It’s the time of year when most state legislatures wrap up their sessions, and with it comes an opportunity to take stock of the successes and failures for privacy bills. As sessions got underway at the start of 2021, we were covering a huge influx in state-level privacy bills, a surge that animated much of the session. In total, lawmakers introduced 27 privacy bills across 21 states. The success rate of 2 passed bills out of 27 total might seem bleak, but a broader perspective is key. Every year since 2018, the number of state privacy bills has increased. And 2021 is the first year in which multiple states have signed comprehensive consumer privacy legislation into law. Substantial work remains to bring privacy protections to most Americans, but the momentum is quantifiably increasing.

Privacy professionals have noted that Colorado’s approach could be a model for state-level privacy legislation, particularly in contrast with attempts that aimed for more sweeping change, like Washington State’s failed bill. The CPA represents an incremental approach to comprehensive consumer privacy, lacking the most contentious features like a private right of action while establishing a baseline suite of data subject rights of access, erasure, and correction. A central question—the central question, perhaps—for privacy proponents may be whether an incremental and imperfect law in the short term is better than no law for the foreseeable future.

And all of this is nothing to say of federal legislation, which remains up in the air. As of early July, the introduced consumer privacy bills with broad scope—Representative DelBene’s Information Transparency and Personal Data Control Act, Senator Schatz’s Data Care Act, and Senator Moran’s Consumer Data Privacy and Security Act—have not seen legislative action for upwards of three months. Also, no measure has garnered bipartisan support. Issues like a private right of action and preemption—whether a federal privacy law can nullify states’ privacy laws—are proving to be steep challenges for federal legislation. Meanwhile, as Colorado makes evident, states are proceeding with their own patchwork of privacy laws and standards.