Colorado Privacy Act Law Comparisons to CPRA, GDPR & CCPA

David A. Zetoony

Email

303.685.7425

Bio and Articles

Find Your Next Job !

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Explore More Job Openings

The Colorado Privacy Act: How Does it Stack Up Against Other Privacy Laws?

by: David A. Zetoony of Greenberg Traurig, LLP - Data Privacy Dish

Friday, June 18, 2021

Print Mail Download info_icon_img

/>i

The Colorado Privacy Act: How Does it Stack Up Against the GDPR?

Colorado is the third state, after California and Virginia, to get a comprehensive data privacy statute through its legislature. While the Colorado Privacy Act (CPA) awaits signature by Governor Polis, businesses are assessing to what extent the CPA will impact their privacy programs.

The following provides a high-level cross-reference to help companies that are currently compliant with the European GDPR understand how the CPA compares and contrasts with that regulation:

Issue	Compliance Obligation	GDPR	Colorado Privacy Act
Ability to Process Data	Permissible Purpose	✓	✓ (Must obtain consent to process sensitive data)
Ability to Process Data	Data Minimization	✓	✓ (May only collect minimum data necessary)
Individual Rights	Right to be Informed (aka Notice to Data Subjects)	✓	✓
	Right to Access	✓	✓
	Right to Correction (aka Right to Rectification)	✓	✓
	Right to Deletion (aka Right to Be Forgotten)	✓	✓
	Right to Opt-Out of Behavioral Advertising	✓ (as part of larger right to object to legitimate interest or withdraw consent)	✓
	Right to Opt-Out of Sale	✓ (as part of larger right to object to legitimate interest or withdraw consent)	✓
	Right to Object to Use of Sensitive Information	(While consent is required for special category processing, no express right to withdraw consent).
	Right to Nondiscrimination	✓ (as part of larger right to withdraw consent)	✓
	Financial Incentive Disclosure
Accountability & Governance	Documentation and Recordkeeping	✓
Accountability & Governance	Privacy Risk Assessment	✓	✓
Security	Appropriate Data Security to Safeguard Information	✓	✓
Security	Breach Notification	✓	✓ (Via related statute)
Transfers to Third Parties	Contractual Requirements in Service Provider Agreements	✓	✓

The Colorado Privacy Act: How Does it Stack Up Against the CCPA?

The following provides a high-level cross-reference to help companies compare and contrast the California Consumer Privacy Act (“CCPA”) with the CPA:

		CCPA	Colorado Privacy Act
Ability to Process Data	Permissible Purpose		✓ (Must obtain consent to process sensitive data)
Ability to Process Data	Data Minimization		✓ (May only collect minimum data necessary)
Individual Rights	Right to be Informed (aka Notice to Data Subjects)	✓	✓
	Right to Access	✓	✓
	Right to Correction (aka Right to Rectification)		✓
	Right to Deletion (aka Right to Be Forgotten)	✓	✓
	Right to Opt-Out of Behavioral Advertising		✓
	Right to Opt-Out of Sale	✓	✓
	Right to Object to Use of Sensitive Information	(While consent is required for special category processing, no express right to withdraw consent).
	Right to Nondiscrimination	✓	✓
	Financial Incentive Disclosure	✓
Accountability & Governance	Documentation and Recordkeeping
Accountability & Governance	Privacy Risk Assessment		✓
Security	Appropriate Data Security to Safeguard Information	✓	✓
Security	Breach Notification	✓ (Via related statutes)	✓ (Via related statute)
Transfers to Third Parties	Contractual Requirements in Service Provider Agreements		✓

The Colorado Privacy Act: How Does it Stack Up Against the CPRA?

The following provides a high-level cross-reference to help companies compare and contrast the California Privacy Rights Act of 2020 (CPRA), which is set to go into effect in 2023, with the CPA:

		CPRA	Colorado Privacy Act
Ability to Process Data	Permissible Purpose		✓ (Must obtain consent to process sensitive data)
Ability to Process Data	Data Minimization	✓	✓ (May only collect minimum data necessary)
Individual Rights	Right to be Informed (aka Notice to Data Subjects)	✓	✓
	Right to Access	✓	✓
	Right to Correction (aka Right to Rectification)	✓	✓
	Right to Deletion (aka Right to Be Forgotten)	✓	✓
	Right to Opt-Out of Behavioral Advertising	✓	✓
	Right to Opt-Out of Sale	✓	✓
	Right to Object to Use of Sensitive Information	(While consent is required for special category processing, no express right to withdraw consent).
	Right to Nondiscrimination	✓	✓
	Financial Incentive Disclosure	✓
Accountability & Governance	Documentation and Recordkeeping	✓
Accountability & Governance	Privacy Risk Assessment	✓	✓
Security	Appropriate Data Security to Safeguard Information	✓	✓
Security	Breach Notification	✓ (Via related statute)	✓ (Via related statute)
Transfers to Third Parties	Contractual Requirements in Service Provider Agreements	✓	✓