U.S. State Data Privacy Laws Directory
U.S. State Data Privacy Laws Directory
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
On August 3, 2023, the state of Colorado took a significant step in safeguarding consumer data privacy by enacting the Colorado Privacy Act (CPA/ColoPA). This legislation places Colorado in the company of states like California, Virginia, Florida, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana, which have all implemented robust data privacy laws. The Colorado Privacy Act is set to become effective on January 1, 2025, and it shares several key features with the “Virginia model,” while also introducing some unique provisions.
The Colorado Privacy Act (CPA/ColoPA) is designed to empower consumers and provide them with greater control over their personal data. Understanding the core aspects of the CPA is crucial for businesses looking to ensure compliance:
Determining whether your business falls under the jurisdiction of the CPA is essential:
While the CPA has a broad reach, some entities are exempt from its provisions, including:
Data processing activities are exempted under specific conditions, including data subject to existing regulations like HIPAA, GLBA, and FERPA, among others.
To ensure your business is compliant with the Colorado Privacy Act, follow these steps:
The Colorado Privacy Act is set to take effect on January 1, 2025. To prepare for compliance and ensure that your business is well-prepared for the CPA, consider the following:
If your business falls under the Colorado Privacy Act (CPA/ColoPA), it is essential to start your compliance preparations well in advance of January 1, 2025, when the law comes into effect.
GetTerms offers many features to help you efficiently address numerous items on your checklist, including tailoring your legal policy documentation and generating cookie consent banners. Please take advantage of GetTerms’ services today to ensure ongoing compliance with the FBDR and other pertinent privacy regulations.
SUBJECT | Californa (CPRA) | Virginia (VCDPA) | Colorado (CPA) |
APPLICABILITY | For-profits that do business in CA, meeting one of three thresholds:
1. Revenues over $25,000,000; 2. Collect personal information of over 100,000 consumers or households; or 3. Generate at least half of revenues from sales of personal information. |
Persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
1. Control or process personal data of at least 100,000 consumers per year; or 2. Control or process personal data of at least 25,000 consumers and derive more than half of gross revenues from the sale of personal data. |
Controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and:
1. Controls or processes the personal data of 100,000 consumers or more during a calendar year; or 2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. |
PERSONAL DATA | Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, not including publicly available information or deidentified or aggregate consumer information. | Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person, not including de-identified data or publicly available information. | Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, not including publicly available information. |
SENSITIVE INFO. | Sensitive personal information means (in summary) personal information that reveals certain information about a consumer. The specific categories of sensitive personal information are listed in the statute and include data types similar to those listed in Virginia and Colorado, and information such as Social Security number, driver’s license, state identification card or passport numbers, account log-in, financial account, debit card or credit card numbers in combination with any required security or access code, password or credentials allowing access to an account, and precise geolocation. | Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child. | Sensitive data means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. The definition also includes personal data from a known child. |
KEY EXEMPTIONS | [Note: The Personnel and B2B exemptions in CA are scheduled to sunset January 1, 2023, although many expect they will be extended.]
1. Information (not institutions) subject to GLBA or California financial privacy laws 2. Institutions and information subject to HIPAA 3. Data regulated by FCRA, DPPA, FERPA, and others 4. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Data maintained by state institutions of higher learning for non-commercial purposes |
CONSUMER RIGHTS | |||
Right of Access | Yes | Yes | Yes |
Right of Portability | Yes | Yes | Yes |
Right to Correct | Yes | Yes | Yes |
Right to Delete | Yes | Yes | Yes |
Opt-out Right | Yes | Yes | Yes |
Opt-in Right for processing Sensitive Data | No
(Note: May limit use and sharing.) |
Yes | Yes |
Non-Discrimination Right | Yes | Yes | No |
Private Right of Action | Yes | No | No |
BUSINESS/CONTROLLER OBLIGATIONS | |||
Notice to Consumers | Yes (Notice at Collection specifically required) | Yes | Yes |
Privacy Policy | Yes (California Privacy Policy specifically required) | No (although required disclosures may be incorporated in the privacy policy) | No (although required disclosures may be incorporated in the privacy policy) |
Contractual Reqs. for Third Party Service Providers/Processors | Yes | Yes | Yes |
Data Processing Impact | No | Yes | Yes |
ENFORCEMENT | |||
Right to Cure | None (Note: the existing right to cure sunsets January 1, 2023) | 30 days | 60 days |
Enforcer | Dedicated enforcement agency (CPPA),
Attorney General, and Private litigants |
Attorney General | Attorney General and District Attorneys |