Colorado and Connecticut Set to Debut New Data Privacy Laws on July 1
Read Time: 2 minsBeginning July 1, 2023, the Colorado Privacy Act and the Connecticut Personal Data Privacy and Online Monitoring Act will take effect. Following California (in 2020) and Virginia (earlier this year), four states now have enacted and implemented some version of a comprehensive privacy law.
The Colorado Privacy Act applies to a “controller” that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and that satisfies one or both of the following thresholds: (i) controls or processes personal data of 100,000 consumers or more during a calendar year; or (ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. However, personal data governed by certain federal or Colorado state laws and certain listed activities may be exempt. Certain entities, such as state and local governments, as well as certain financial institutions and their affiliates, may also be exempt. The Colorado Privacy Act introduces twenty-six defined terms and provides consumers with several rights in connection with their personal data, including the right to opt out, the right of access, the right to correct, and the right to deletion.
The Connecticut Personal Data Privacy and Online Monitoring Act (PDP-OMA) applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (1) controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. However, like the Colorado Privacy Act, personal data governed by certain federal or state laws and certain listed activities may be exempt. Certain entities, such as state and local governments, as well as certain financial institutions and their affiliates, may also be exempt. The Connecticut PDP-OMA introduces thirty defined terms and provides consumers with several rights in connection with their personal data, including the right to confirm whether a “controller” is processing or accessing their data; request copies of, correct inaccuracies in, and/or permanently delete their data; and opt out of the processing of their data.
In general, the Colorado Privacy Act and the Connecticut PDP-OMA have a lot in common with the Virginia Consumer Data Protection Act; however, it is clear California’s Consumer Privacy Act and Privacy Rights Act also influenced the Colorado and Connecticut legislatures. Going forward, expect other states to look to California and Virginia—and now Colorado and Connecticut—as they consider similar privacy laws.
Next up, the Utah Consumer Privacy Act is scheduled to take effect on December 31, 2023.
Reprinted with permission from the American Bar Association’s Business Law Today May Month-In-Brief: Business Regulation & Regulated Industries.