Colorado Governor Signs The Colorado Privacy Act Into Law  

Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 8, adding protections for Colorado consumer’s data and privacy.  

“Today I signed into law Senate Bill 21-190,” Gov. Polis said in his official signing statement.  

“As our economy continues to evolve and innovate in response to the demands of technology and the internet, new protections are needed to prevent fraud, abuse, and misuse,” the governor stated. “Colorado joins a handful of states that have now passed their own version of the Colorado Privacy Act to protect consumers.” 

Colorado now joins California and Virginia as the three states with consumer privacy laws.   

“Senate Bill 21-190 (SB 21-190) creates new consumer data privacy rights and protections, requiring businesses that process personal data or information to perform certain duties, such as providing transparency, purpose specification, and data minimization,” the governor stated.   

“The Colorado Privacy Act will keep consumers safe from harmful practices and hopefully will become a template for a nationwide standard passed by Congress in the future,” Polis stated.  

The law, which was quickly passed, will need to be updated next year. 

"My chief concern is ensuring Colorado's competitiveness with other states as an incubator of new technologies and innovations,” the governor noted. “SB 21-190 will require clean-up legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill. We encourage those to continue but urge that they strike the appropriate balance between consumer protection while not stifling innovation and Colorado's position as a top state to do business.”  

The enforcement of the CPA is set to begin on July 1, 2023, according to a report by the global law firm Cooley. 

The CPA also does not apply to data subject to certain federal privacy regulations, according to Cooley, a law firm with 1,200 lawyers across 17 offices in the United States, Asia and Europe.  

The newly passed CPA will not apply to “the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act of 1994, the Children’s Online Privacy Protection Act of 1998, the Family Educational Rights and Privacy Act of 1974, and the Health Insurance Portability and Accountability Act. It likewise exempts data maintained for employment records or noncommercial purposes by certain public utilities, state institutions of higher education and judicial departments,” the Cooley report states.  

One notable change from other privacy laws, according to the Cooley report, is that the CPA will allow consumers to “opt out of the sale, collection and use of personal data in certain circumstances.” 

“In particular, a consumer has the right to opt out of the processing of personal data for purposes of profiling, in addition to opting out of targeted advertising and the ‘sale’ of personal data. Activities that constitute a sale are also arguably narrower under the CPA, specifically requiring an exchange of personal data for monetary or other valuable consideration by a controller to a third party."