Connecticut and Colorado Privacy Laws Set to Take Effect
Beginning July 1, 2023, the Colorado Privacy Act and Connecticut Personal Data Privacy and Online Monitoring Act will take effect. Following California and Virginia, four states have enacted and implemented their version of a comprehensive privacy law.
The Colorado Privacy Act applies to any “controller” that meets the following jurisdictional thresholds:
- Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
The Connecticut Personal Data Privacy and Online Monitoring Act applies to entities that meet the following requirements:
- Conduct business in Connecticut or produce products or services targeted to Connecticut residents; and
- During the preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; or
- Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.
Notably, both the Colorado and Connecticut laws do not include annual revenue threshold requirements. Likewise, both laws define “consumer” to exclude those acting in a commercial or employment context. The Colorado and Connecticut laws each exclude publicly available information and deidentified information from the definition of “personal data.” Equally, the laws include consumer race or ethnic origin, religious beliefs, genetic data, biometric data, health data, sexual orientation, sex lives, and citizenship and immigration status in their definitions of “sensitive personal data.” “Sensitive personal data” also includes personal data from a known child. Connecticut’s law incudes precise or specific geolocation data whereas the Colorado law does not. Both states’ laws also define the “sale” of personal data as “an exchange of personal data for monetary or other valuable consideration.”
Each law also has both entity level and data level exemptions from the scope of requirements. With respect to entity level exemptions, Colorado and Connecticut exemptions include government entities, entities regulated by the Gramm-Leach-Bliley Act (GLBA), and registered national securities associations. Connecticut also exempts nonprofits and entities regulated by the Health Insurance Portability and Accountability Act (HIPAA); Colorado does not. In addition, Connecticut also exempts higher education entities. With respect to data level exemptions, data regulated under HIPAA, GLBA, the Fair Credit Reporting Act (FCRA) and the Driver’s Privacy Protection Act (DPPA) as well as employee and commercial business-to-business data are exempted under the Colorado and Connecticut laws. However, Colorado only exempts GLBA regulated data if the entity is GLBA compliant. Connecticut only exempts DPPA regulated data if the entity is DPPA complaint. And Connecticut exempts data regulated by the Family Educational Rights and Privacy Act but Colorado does not.
Moving forward, applicable entities must comply with the requirements and nuances of each law. Colorado placed joint enforcement authority in its attorney general and district attorneys. In contrast, Connecticut places its authority only with its attorney general for enforcement purposes. Currently, both laws offer a 60-day cure period during which applicable entities found to have violated the respective acts may remedy the noted issues before facing enforcement – the cure period is set to sunset for both on January 1, 2025. Applicable entities that violate the acts may face 5,000 USD per willful violation in Connecticut and up to 20,000 USD per violation in Colorado.
Following Connecticut and Colorado, Utah is the next state comprehensive privacy law to come into force with the Utah Consumer Privacy Act effective on December 31, 2023. In addition, Indiana, Iowa, Montana, and Tennessee each have passed their own comprehensive privacy acts so far this year – respective effective dates for such acts are set to rollout beginning in 2024 through 2026.
Contact Our Attorneys Today
The data protection and privacy lawyers at Kendall PC provide strategic legal services for companies of all sizes. We can help your business ensure consumer privacy and security protections in every stage of your company’s product and program development.
To learn how our attorneys can help your company, contact Kendall PC today online or at (484) 414-4093. Our firm proudly serves small, midsized, and emerging businesses throughout the United States and across the globe.