Data Privacy’s Patchwork Expands

July 14, 2021 Advisory

In Colorado, just when it appeared that efforts to pass data privacy legislation would go on hiatus, a successful last-minute push enabled it to become the second state this year, and third overall, to enact comprehensive privacy legislation.

The Colorado Privacy Act (CPA) adds to myriad sector-specific regulations and anticipates additional regulations aimed at cybersecurity. While it is similar to Virginia and California’s data privacy statutes, there are some distinct differences, and since other states will likely follow suit, organizations may need to consider a patchwork approach.

Broader Opt-Out and Enforcement Powers

The consumer opt-out right under the CPA is different from California and Virginia. By 2024, companies must allow consumers to opt out through a global privacy control browser, rather than on a website-by-website basis. While the details of this global browser setting have not been determined and will be specified by the Colorado Attorney General (AG) by July 2023, companies must allow consumers across all websites to opt out of data processing that involves the sale of personal data, targeted advertising or profiling.

Enforcement is also slightly different under the CPA. In addition to the AG, any of the state’s 22 district attorneys can bring an enforcement action, a first in privacy legislation in the U.S. If enforcement ensues, the CPA includes a 60-day cure period for companies to bring their practices in line with the CPA’s requirements.

Restricted Use of ‘Dark Patterns’ and Data

The CPA is also the first statute to explicitly prohibit obtaining consumer consent through the use of dark patterns. Dark patterns – which manipulate users of websites and apps into doing things they did not intend – often implicate data collection and consumer consent, and thus have become a recent focus of regulators.

The Federal Trade Commission (FTC) and California AG have both taken action to address dark patterns this year, the FTC through a workshop hosted in April and California through modification of the CCPA’s regulations. Colorado’s inclusion of this provision in its legislation could signal the start of a trend.

Controllers under the CPA are also subject to a few unique requirements, including the requirement to minimize the use of personal data by limiting the collection of personal data to what is adequate, necessary and relevant to the specified purpose.

Similarities between CPA and Existing Regulations

Organizations attempting to comply with the CPA can take comfort in knowing a lot of it is borrowed from existing regulations. For example, the rights to access, review and correct data are similar to the California Consumer Privacy Act (CCPA), Consumer Data Protection Act (CDPA) in Virginia, Global Data Protection Regulation (GDPR) in Europe, and various sector-specific laws. Like the CCPA, CDPA and GDPR, companies are also required to enter into written agreements with third parties, vendors and service providers that process data on their behalf.

The CPA’s consumer notice requirements are also similar to other legislative frameworks. Under the CPA, companies must maintain a privacy notice that describes the categories of data collected, the purposes for which data is processed, how and where consumers may exercise their rights, and the categories of third parties with whom data is shared, among other things.

The CPA’s applicability and scope are also limited in ways similar to the CDPA. For example, under both the CPA and CDPA, the definition of a “consumer” does not encompass individuals acting in a commercial or employment context, job applicants, or beneficiaries of individuals acting in an employment context.

Summary of Current State Legislation

The table below contains an overview of some of the key differences between the legislation in Colorado, Virginia and California:

Colorado (CPA) Virginia (CPDA) California (CPRA) California (CCPA)
Effective Date July 2023 January 2023 January 2023 January 2020 (will be replaced by CPRA in 2023)
Companies Subject to the Law

Companies that meet either of the following:

- collect and store the personal data of more than 100,000 consumers; or

- derive revenue from the sale of personal data of at least 25,000 consumers

Nonprofit entities that meet the above thresholds are subject to the requirements.

Companies that meet either of the following:

- control or process the data of at least 100,000 consumers; or

- companies that control or process the data of at least 25,000 consumers and derive 50% of its revenue from the sale of personal data

Nonprofit entities are exempt.

Companies that meet any of the following:

- gross annual revenue of more than $25 million;

- annually buy, sell or share for cross-context behavioral advertising the personal information of 100,000 or more consumers or households; or

- derive more than 50% of revenue from selling or sharing for cross-context behavioral advertising personal information

Nonprofit entities are exempt.

Companies that meet any of the following:

- gross annual revenue of more than $25 million;

- buy, receive or sell the personal data of more than 50,000 California residents; or

- derive more than 50% of their revenue from selling personal data

Nonprofit entities are exempt.

Special Requirements for Sensitive Data?

Yes

Yes

Yes

No

Consumer Opt-Out Rights?

Yes – compliance with a universal opt-out through a global privacy control browser setting required by July 2024

Yes – on a website-by-website basis Yes – on a website-by-website basis Yes – on a website-by-website basis
Purpose/Processing Limitations Yes Yes Yes Yes
Requires a Risk Assessment or Data Protection Assessment? Yes – for certain processing activities Yes – for certain processing activities Yes – for certain processing activities No
Special Requirements for Youth Data? No Yes – opt-in required if under 13 Yes – opt-in required if under 16 Yes – opt-in required if under 16

For a more in-depth discussion of the varying requirements across the U.S.’s broad regulatory scheme, please join us this fall for Armstrong Teasdale’s Digital Transformation Webinar Series. Sign up to receive forthcoming information about the series.

AT’s Privacy and Data Security practice has vast experience navigating all aspects of the complex data privacy regulatory scheme and regularly counsels clients – whether business-to-business, direct-to-consumer, e-commerce, or anything in between – across a variety of sectors on data privacy obligations. For more information specific to your business needs, please contact one of the authors or your regular AT attorney.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
3405 W. Truman Boulevard
Suite 210
Jefferson City, MO 65109
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
London, England
200 Strand
London, WC2R 1DJ
Google Maps
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Wilmington, DE
300 Delaware Avenue
Suite 210
Wilmington, DE 19801
Google Maps
Wilmington, Delaware