The Colorado Privacy Act and Connecticut Data Privacy Act Take Effect on July 1, 2023
In the absence of a comprehensive federal privacy law, states are leading the way in enacting consumer data privacy laws aimed to provide consumers with greater transparency and choice in the handling and protection of their personal information. Following California’s enactment of the nation’s first comprehensive data privacy laws, Virginia, Colorado, Utah and Connecticut have since passed privacy legislation with similar consumer privacy protections. Although there is overlap among the states’ privacy laws, covered entities must be attuned to the specific requirements and obligations of data handlers under the Colorado Privacy Act (“CPA”) and Connecticut Personal Data Privacy and Online Monitoring Act (“Connecticut Data Privacy Act” or “CTDPA”), both of which take effect on July 1, 2023.
The CPA applies to individuals or entities that (1) conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents and (2) control or process personal data of either:
- 100,000 consumers or more during a calendar year, or
- 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from personal data sales.
Similar to the CPA, the CDTPA applies to individuals or entities that (1) conduct business in Connecticut or produce products or services targeted to Connecticut residents and (2) during the preceding calendar year, controlled or processed personal data of either:
- 100,000 consumers, excluding personal data processed or controlled solely for completing a payment transaction, or
- 25,000 consumers and derived more than 25% of gross revenue from personal data sales.
Akin to the data privacy laws in California, Utah, and Virginia, the CPA and CTDPA include exclusions for entities or data regulated by sector-specific laws, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), and the Fair Credit Reporting Act (“FCRA”), among others.
Under the CPA and CTDPA, consumers are armed with rights involving their personal data, which is defined as information linked to or reasonably linkable to an identified or identifiable individual. Like their California counterparts, the CPA and CTDPA afford consumers the right to access, correction, deletion, data portability, and the right to opt-out of the sale of personal data, targeted advertising, and profiling for automated decisions. Both the CPA and CTDPA require a consumer’s prior consent before processing sensitive data, which includes (1) personal data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship; (2) genetic or biometric data processed to uniquely identify an individual; (3) personal data collected from a known child; and (4) precise geolocation data. Under the CTDPA, prior consent is also required before the sale or processing for targeted advertising of personal data of consumers between 13 and 15 years old.
Aside from requiring the implementation of processes that would allow consumers to exercise their privacy rights, the CPA and CTDPA imposes a number of other obligations on covered entities, including specific requirements for contracts dealing with the processing of personal data and data processing assessments to be conducted before engaging in any data processing activity that presents a heightened risk of consumer harm.
Neither the CPA nor the CTDPA currently provides consumers with a private right of action. Rather, the states’ respective Attorneys General are charged with enforcement. Violations of the CPA or CTDPA constitute unfair trade practices that could lead to hefty penalties, including penalties ranging from $20,000 to $50,000 per violation in Colorado, and injunctive relief, restitution, attorneys’ fees, or penalties of up to $5,000 per violation for willful violations in Connecticut.