Colorado Joins California, Virginia in Passing Consumer Data Privacy Legislation

July 16, 2021

Governor Jared Polis (D) signed the Colorado Privacy Act, making the state the third to enact a comprehensive data privacy law and continuing the trend of excluding HR data from consumer-focused privacy legislation. 

HR data not covered:  With interoperability an important element of data privacy bills, all four state laws—Colorado’s CPA, Virginia’s VCDPA, and California’s CCPA and CPRA—do not cover HR data, which (if included) would create significant compliance and operational issues for employers and workers.

The law does not contain a private right of action.  Rather, the Colorado Attorney General and District Attorneys will enforce the statute.  Penalties range up to $20,000 per violation. 

The CPA, which goes into effect July 1, 2023, will grant Colorado consumers the right to access, correct, and delete personal data, as well as opt out of the sale, collection, and/or use of their personal data.  The law will also create an obligation for covered entities to provide privacy policy disclosures to consumers and undergo data protection assessments.

All quiet on the federal front:  Priorities such as battling COVID-19, the economic recovery, and infrastructure have translated to little movement for privacy bills in the halls of Congress.  Meanwhile, anti-trust and content moderation (Section 230) debates have muddied the waters, drawing energy from the animus directed at tech companies from both sides of the aisle.  As of now, few privacy bills have been introduced this Congress and no congressional hearings on the topic have been held or scheduled. 

Outlook:  Neither Virginia nor Colorado’s laws contain a private right of action, with California’s being limited to certain circumstances.  Thus far, the four states that have passed data privacy laws do not cover HR data, though the HR data exclusion under California’s CPRA sunsets on January 1, 2022.  These trends are generally a positive sign for employers as other states, such as New York, Massachusetts, North Carolina, and recently Ohio, consider data privacy legislation in the absence of a strong federal effort.