Colorado Becomes Latest State With a Comprehensive Privacy Law

How the Colorado Privacy Act Compares to the California, Virginia and European Union Laws That Inspired It

On June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.

The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways. If the California law was consumer privacy 1.0 for the US, and Virginia 2.0, it seems that Colorado hopes to be the 3.0 (or maybe v 2.1) model for the rest of the nation. Indeed, in the act’s declaration of purpose, the Colorado legislature found:

  • “States across the United States are looking to this [law] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level”
  • “By enacting this [law] Colorado will be among the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue innovate”

In this publication, we break down the similarities and differences of the three US state consumer privacy regimes. A more detailed analysis and workstreams for assessing and establishing compliance readiness, as well as detailed project plans and compliance checklists, are available to clients. Please contact the author for further information.

Download our breakdown which focuses on:

  • Who and what is covered?
  • How does CPRA change CCPA?
  • What changes with the Virginia and Colorado Acts?
  • Penalties under CFRA, CDPA and CPA