Effective July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will come into force, joining California and Virginia, which already have data privacy laws in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) took effect on January 1, 2023, enforcement of those amendments will also begin on July 1, 2023. Although these laws have overlapping compliance obligations, businesses should be aware of the specific obligations outlined in ColoPA, including the recently finalized ColoPA Rules, and the CTDPA, as they may necessitate updates to privacy notices and practices. This notification provides a brief overview of the significant obligations under ColoPA and the CTDPA to assist companies in preparing for compliance by the July 1 deadline.

Colorado:

Entities subject to ColoPA, including the ColoPA Rules that were finalized on March 15, 2023, can face civil penalties of up to $20,000 per violation for noncompliance, which cannot be rectified within 60 days. Therefore, businesses should review the following key points to ensure they have adequately addressed their obligations:

1. Privacy Notice Content Requirements: Unlike the CCPA, ColoPA mandates that controllers map each category of personal data collected to their specific use of that data. Controllers are also required to notify consumers of significant changes to their privacy notices, such as sharing personal data with new categories of third parties or processing personal data for new purposes.
2. Consent: ColoPA necessitates obtaining opt-in consent before processing various types of data, including sensitive data, personal data regarding known children, and processing personal data for new purposes (even if collected before July 1, 2023). ColoPA also establishes specific requirements for obtaining valid and informed consent.
3. Consent for Previously Collected Data, Reseeking Consent, and Refreshing Consent: Companies should pay attention to other consent-related requirements. For instance, controllers must refresh previously obtained consents if consumers have not engaged with the controller in the past 24 months, unless consumers have the ability to update their opt-out preferences at any time through a user-controlled interface. Controllers failing to obtain valid consent to continue processing sensitive data collected before July 1, 2023, have until July 1, 2024, to obtain that consent. Controllers can also seek renewed consent from consumers if they have a “reasonable belief” that the consumer intended to opt back into the sale or processing of personal data for targeted advertising.
4. Right to Opt Out: Similar to the CCPA, ColoPA grants consumers the right to opt out of the sale of their personal data. However, ColoPA goes further by allowing consumers to opt out of any use or processing of personal data for targeted advertising purposes. ColoPA confirms that using phrases like “Your Privacy Choices” as opt-out link text is valid, aligning with one of the options provided by the CCPA.
5. Data Minimization: Businesses storing personal data, including photographs, audio or voice recordings, and biometric identifiers, must annually assess the necessity, adequacy, or relevance of such storage for the stated processing purpose.
6. Data Protection Assessments: ColoPA Rules require companies to conduct data protection assessments for processing activities conducted after July 1, 2023, that pose a heightened risk of harm to consumers. ColoPA provides more detailed guidance on conducting these assessments compared to the CCPA and the Virginia Consumer Data Protection Act (VCDPA).

Connecticut:

While the scope and applicability of the CTDPA were previously covered, companies should be aware that the Connecticut state legislature recently amended the CTDPA to introduce new data privacy requirements for consumer health data and children’s personal data. The provisions related to consumer health data will take effect on July 1, 2023, while those concerning children’s data will become effective in July and October 2024. From July 1, 2023, until December 31, 2024, the Connecticut Attorney General will notify companies of alleged violations and provide a 60-day period for cure, if deemed possible. However, starting January 1, 2025, the attorney general will have discretion in granting an opportunity to cure to controllers or processors.

Companies that have already begun preparing for compliance with the laws in Colorado and Virginia may still require further updates to comply with the CTDPA. The following summarizes the major differences between these laws and highlights the key obligations under the CTDPA passed on May 10, 2022, and as amended on June 2, 2023:

1. Expanded Definition of Sensitive Data: The CTDPA mandates that controllers obtain consent before processing sensitive data, aligning with the VCDPA and ColoPA. The amended CTDPA broadens the definition of “sensitive data” to include “consumer health data” and “data concerning an individual’s status as a victim of a crime.”
2. Right to Opt Out: Like Colorado and Virginia, Connecticut residents will have the right to opt out of personal data sales, targeted advertising, and profiling. However, unlike ColoPA, the CTDPA does not require authenticated opt-outs.
3. New Prohibitions on the Disclosure of Consumer Health Data: The amended CTDPA introduces specific requirements for consumer health data, including restrictions on providing employees or contractors with such data without a contractual or statutory duty of confidentiality. It also prohibits the use of geofences near certain healthcare facilities and the sale of consumer health data without consumer consent.

Companies should promptly address these new obligations before July 1. Businesses that updated their notices and practices in January 2023, coinciding with the implementation of the CPRA and VCDPA, with the goal of remaining compliant throughout 2023, will likely need to address the subsequent developments and revisit their compliance practices.