Colorado passed its Colorado Privacy Act (CPA) earlier this month, bringing a familiar but distinct new privacy regime to the growing patchwork of privacy legislation across the United States. The CPA will become effective on July 1, 2023, and prudent businesses are already expending resources on compliance to ensure that they are not in violation of the law when that effective date arrives. Though it is hopeful that much of the compliance efforts undertaken for the sake of CCPA and CPRA will be helpful here, the legal distinctions between the two statutes nevertheless pose a compliance hurdle for even the most sophisticated companies in this space.
At the outset, it should be noted that much of the CPA’s language and structure is similar to that found in the California Consumer Privacy Act (CCPA) and in the California Privacy Rights Act of 2020 (CPRA), which was passed by voters in the last election. There are also portions borrowed from Virginia’s Consumer Data Protection Act (CDPA), which makes compliance with all three of the statutes a juggle between numerous moving parts.
CPA creates similar rights to those found in CCPA and CPRA, including the right to access, delete, and correct personal data. In addition, citizens can opt-out of the processing of personal information for specific purposes and have been granted a right to data portability. The law does benefit from the fact that it does not include a private right of action and can be enforced only by the attorney general. This foresight is important to prevent privacy law from eroding into a contest between predatory personal injury lawyers. Additionally, the law has the foresight to define “consumer” so that it explicitly excludes individuals acting as a job applicant, as a beneficiary of someone acting in the employment context, or in the employment context itself. This comes from the wise recognition that these privacy statutes are designed for consumers and therefore are ill-equipped to deal with the nuances of privacy in the employment context. Employee data under the CPRA is only exempt until 2023 and will be a significant issue for the Legislature to resolve regarding how employee data should be handled
But notable distinctions do exist, and these distinctions will create operational, compliance, and judicial differences that will make it challenging for businesses to do business across state lines. For example, one of the most important definitions in the statute is the definition of “personal data,” which differs from the definition of “personal information” in California. This distinction is important because unlike CCPA and CPRA, the CPA definition does not include specific categories of information regulated as personal information. Colorado legislators instead opted to align themselves with Virginia’s statute to make the term as broad as possible, applying to information that is linked or reasonably linkable to an identified or identifiable individual. Thus, a business complying with California’s privacy laws cannot rely on basic principles of privacy to ensure compliance across states but must take a surgical approach to ensuring its compliance processes do not conflict on a state-by-state basis.
As far as a federal fix to this growing patchwork of differing privacy laws, there does not seem to be one in sight. Certainly, a federal law that occupies this space would preempt state legislatures from making these decisions on a state-by-state basis, and businesses and consumers alike would benefit from consistency across the board. However, aside from the Uniform Law Commission’s purely academic foray into drafting model legislation, which is notably not inclusive of all viewpoints, there really does not appear to be a federal effort to harmonize privacy law in the United States or update the existing privacy legislation that has existed since before the dawn of the internet. Until that happens, businesses will be left playing catch-up with the whims of state legislators, which vary from region to region.