After California and Virginia, the state of Colorado has now also reformed its data protection law: On June 8th, 2021, the legislature of this state passed the Colorado Privacy Act (CPA). If signed by Governor Jared Polis, Colorado will be the third state in the US to have a comprehensive data protection law modeled on the GDPR. Although there are differences, the CPA is very similar to the California Privacy Rights Act of 2020 (CPRA), which amended the California Consumer Privacy Act of 2018 (CCPA), and the recently enacted Virginia Consumer Data Protection Act. Global US companies should get by with relatively minor revisions to their privacy programs if they are already aligned with California and Virginia laws.
The CPA shows again that states are closing the gap created by the lack of comprehensive federal law. The effort for the affected companies that are also based outside of Colorado, and those with the multitude of Consumer confusion inherent in federal rules is likely to increase as more states pass extensive data protection laws. If the CPA is signed by the governor, which is very likely, it will take full effect on July 1, 2023.