Colorado Privacy Act Becomes Law: Data Privacy Trends

It’s a three-post day!  Why?  Because there is a lot of news today!  TODAY, the state of Colorado officially enacted the Colorado Privacy Act (CPA) following Gov. Jared Polis, D-Colo., signing bill SB21-190 into law. In passing the law, Colorado became the third U.S. state, following California in 2018 and Virginia earlier this year (covered by us here), to enact comprehensive privacy legislation.  The CPA will go into effect on July 1, 2023.

As discussed by Sarah Rippy of the International Association of Privacy Professionals (IAPP), the substance of the law is not particularly groundbreaking. Those who have reviewed the failed Washington Privacy Act (WPA) and the Virginia Consumer Data Protection Act (CDPA) will find it familiar. Regarding the basic framework, the CPA followed the trend of adopting a WPA-like controller/processor approach rather than a California Consumer Privacy Act (CCPA) like business/service provider distinction.

The scope of the Colorado Privacy Act is reminiscent of the CDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:

  • “Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
    • controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
    • derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”

The scope of the law is broader in some senses and narrower in others compared to the CCPA and is slightly broader than the CDPA. Unlike the CCPA, the CPA does not include any revenue thresholds. Thus, a business cannot become subject to the law merely due to its annual revenues. However, the CPA extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data. Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.

Rippy’s article goes on to discuss how the Colorado Privacy Act defines a consumer and the “sale of personal information”, how the definition of “sale” explicitly excludes certain types of disclosures, exemptions, five main rights for the consumer under the CPA, controller obligations and enforcement (among other things).  You can check it out here.  Three down, forty-seven to go!  🙂

So, what do you think?  What do you think of the newly enacted Colorado Privacy Act?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.



  1. With each new state (and now with NYC even city) data security and privacy law passing, I’m reminded of the “This business will get out of control…” scene from the Hunt for Red October. The time is long past for a national standard – leaving this to the states is going to make it nearly impossible for business to keep up with the inevitable 50-state patchwork. But then, I’m sure I’m preaching to the choir!

  2. At least a choir membership of one here at eDiscovery Today, Brian! 😉 Europe can create one and the European Economic Area is 30(!) countries, not just one. You would think our one country could create a single standard for all of us.

Leave a Reply