Colorado
Colorado Privacy Act (CPA)
Passed | July 7, 2021 |
Effective Date | July 1, 2023 |
Who it applies to |
|
Penalties | Up to $20,000 per violation, and up to $50,000 if the violation involves the data of an elderly person. |
What’s notable about it:
Except for California, Colorado is the only state to have passed regulations under its privacy law. The regulations tell us how the state’s Attorney General interprets the law, and how they might enforce it. Answer: Strictly.
The Colorado Privacy Act Rules prescribe a particularly rigorous process for “data protection assessments”, and a European-style interpretation of “consent” (that means specific, informed, “opt-in” consent). This requires businesses to inform upfront about privacy-invasive data practices and ask people to expressly consent. It also gives a broad definition of “sensitive data”. Expect the Attorney General to flex its enforcement muscles soon.
The Strict Spectrum