The recent Colorado Privacy Act (ColoPA) does not differ much from Virginia and California’s acts, but there are some distinctions to be aware of.
ColoPA | VCDPA | CCPA | |
Thresholds to Applicability | Conduct business in CO or produce products or services targeted to CO and (a) control or process personal data of at least 100,000 consumers; or (b) derive revenue or receive a discount on the price of goods or service from selling personal data or controls personal data of at least 25,000 consumers | Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers | Conduct business in CA and collect personal information of CA residents and: (a) has $25 million or more in annual revenue for preceding calendar year as of Jan. 1 of calendar year; (b) annually buys, sells, or shares personal data of more than 100,000 consumers or households; or (c) earns more than 50% of its annual revenue from selling or sharing consumer personal information |
Consent | Requires opt-in consent for processing sensitive personal data, including children’s data, and certain secondary processing | Requires opt-in consent for processing sensitive personal data, and COPPA-compliant consent for processing children’s data | Requires opt-in consent for sharing PI for cross-context behavioral advertising for children under 16, including parental consent for children under 13 |
Opt-Out | Required for targeted advertising, sales, and profiling for legal or similarly significant effects | Required for targeted advertising, sales, and profiling for legal or similarly significant effects | Required for profiling, cross-contextual advertising, and sale; right to limit use and disclosure of sensitive personal information |
Other Consumer Rights | Access, Deletion, Correction, Portability | Access, Deletion, Correction, Portability | Access, Deletion, Correction, Portability |
Authorized Agents | Permitted for opt-out requests | N/A | Permitted for all requests |
Appeals | Must create process for consumers to appeal refusal to act on consumer rights | Must create process for consumers to appeal refusal to act on consumer rights | N/A |
Private Cause of Action | No | No | Yes, related to security breaches |
Cure Period? | 60 days until provision expires on Jan. 1, 2025 | 30 days | No |
Data Protection Assessments | Required for targeted advertising, sale, sensitive data, certain profiling | Required for targeted advertising, sale, sensitive data, certain profiling | Annual cybersecurity audit and risk assessment requirements to be determined through regulations |
Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged.
Foresite can help with an assessment of how you or your clients are meeting your applicable privacy requirements.