Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have 10 days to sign or explicitly veto it.CPA applies to businesses collecting data on more than 100,000 individuals, or those earning revenue from the data of more than 25,000 consumers. It includes standard data subject rights, an opt-out consent model with a universal opt-out mechanism, and a right to cure, all subject to normal AG rule-making and enforcement.
CPA is effective July 1, 2023 unless vetoed by the Gov. The biggest difference when compared to Virginia or CPRA is the broad requirement (with fewer exemptions) for data protection privacy assessments.
A more specific compliance issue Colorado presents, according to attorney David Zetoony, is the required data protection assessment. Such examinations are also required in the Virginia Consumer Data Protection Act, but Colorado does not exempt companies from these assessments like Virginia.
The Colorado Privacy Act SB190 has passed the Colorado House of Representatives by a vote of 57-7. While the bill must return to the Senate for final reconciliation of amendments made by the House, it’s most likely. Unless the Governor vetos it, which is improbable, the amendments will be reconciled in the next few days.
There were minor updates to the definition of pseaudoanonymous data, how agents operate, and a modest narrowing of the scope – but most importantly there was clarification that it does not form a basis for private action.
All of the proposed amendments, according to Truyo president Dan Clarke, are more than reasonable and very unlikely to keep the Colorado State Senate from passing SB190. We have seen other state Houses propose amendments that alter bills in a way that makes it highly unlikely to pass the Senate vote. In this case, we anticipate that the United States will have another state with an omnibus privacy regulation when the session concludes.