Happy St. Patrick’s Day! As you consume your green beverages and cheer on your favorite  March Madness team(s), I have brought you some “privacy madness” to ponder between games.

Colorado as you know passed the Colorado Privacy Act (CPA) back on July 7, 2021, becoming the third state, at the time, to enact its own state privacy laws. Since then, two other states have passed similar laws and many others are lining up with bills of their own. As I write this, Iowa is most likely to be the next state to roll out consumer privacy law with a bill sitting on the Governor’s desk. The Final Rules were filed with the Colorado Secretary of State just this week on March 15th, after a series of public comment periods.  CPA goes into effect this year on July 1st.

Colorado follows very closely the revised California Privacy Rights Act (CPRA) that went into effect at the beginning of this year on January 1st bringing more guidance to the latter CCPA. Most of the requirements you will already be familiar with, the specific consumer rights that the CPA covers are as follows:

  • The right to opt out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
  • The right to know whether a controller is collecting personal data;
  • The right to access personal data that a controller has collected about them;
  • The right to correct personal data;
  • The right to delete personal data; and
  • The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

The above list may feel like a lot but is it important to know as the CO Final Rule points out “The Data Rights request method does not have to be specific to Colorado, so long as the request method:

  1. Clearly indicates which rights are available to Colorado Consumers;
  2. Provides all Data Rights available to Colorado Consumers;
  3. Provides Colorado Consumers a clear understanding of how to exercise their rights; and
  4. Meets all other requirements of this part, 4 CCR 904-3, Rule 4.02”

Meaning that companies can be creative in the ways they consolidate all the state consumer privacy laws as long as the rights of the consumers residing in those specific states are clear and conspicuous.

The Final Rule includes the long-awaited guidance around the technical specification for the Universal Opt-Out Mechanisms the CPA requires controllers to comply with. Along with outlining a comprehensive catalog to navigate all things CPA, from Privacy Notice Principles, Consent, all the way down to Data Protection Assessments for Profiling, it’s a glorious 44 pages. If these new laws affect your business it’s crucial that you read, understand, and ensure you are applying them correctly to your operations.

A few final notes to keep in mind with the CPA, there is no private right of action currently in this law, only enforcement under the Attorney General and District Attorneys. Companies found to be violating the CPA will be sent a letter and given 60 days to cure the violation, however, if it is determined there is no solution for the violation, no letter will be sent. Notice of violation and 60 days to cure will remain in effect until January 1st, 2025.

With many states following suit passing their own consumer privacy laws, it can feel a bit overwhelming planning how to operationalize and track all the new requirements. This is why reading through the Final Rules or engaging a qualified consultant to help guide you through can be key and save you some peace of mind. Troutman Firm is always here to help and keep an eye on the ever-changing consumer privacy landscape.


Leave a Reply