Colorado Privacy Act

Streamline compliance through effective data visibility and management

Orson Lucas

Orson Lucas

Principal, Advisory, Cyber Security Services, KPMG US

+1 704-502-1067

Steven Stein

Steven Stein

Principal, Cyber Security Services, KPMG US

+1 312-665-3181

On June 8, 2021, Colorado became the third state in the nation – following California and Virginia – to enact its own state privacy law, the Colorado Privacy Act (“CPA”). The law furthers a recent trend of some states enacting privacy regulations in the absence of a comprehensive federal framework. The trend, however, should not be read to suggest that state-level regulatory schemes are entirely consistent from one state to another. A challenge for businesses will be to understand and comply with these regulations and any differences among them.

The CPA offers protections for consumers such as having the ability to control and dictate how their data is used. It is similar in many aspects to the Virginia Consumer Data Protection Act (“VCDPA”) such as the requirement for a consumer to consent or opt-in to the processing of their sensitive data. Although it does not have a private right of action like California’s Consumer Privacy Act (“CCPA”) that was later amended by the California Privacy Rights Act (“CPRA”), many of the same consumer rights are included such as the right to delete, correct, access, and data portability.

Since the CPRA and VCDPA have the same effective date of January 1, 2023, six months before the CPA’s effective date of July 1, 2023, early compliance efforts will assist businesses to comply with all three state laws. These new privacy regulations emphasize the importance for businesses to have a deep understanding of their data through comprehensive data mapping and inventory, a process in place to respond to data subject rights requests, and strong technical privacy and security measures.

This article will delve into the key comparisons of the PRA, VCDPA, and CPA key provisions and how KPMG can help.