On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting July 1, 2023. While there are a number of compliance obligations that overlap among these laws, businesses should be aware of the key obligations for ColoPA, specifically the ColoPA Rules that were finalized just a few months ago, and the CTDPA, since they may require businesses to update their privacy notices and practices. This alert provides a high-level summary of significant obligations from the ColoPA law and regulations and the CTDPA to aid companies preparing to be in compliance by the July 1st deadline.
Colorado
As covered in prior alerts,1 entities subject to ColoPA, which include the ColoPA Rules finalized on March 15, 2023, can face civil penalties of up to $20,000 per violation for noncompliance if the violation cannot be cured within 60 days. As such, businesses should go through these key takeaways to ensure they have properly considered the obligations for their companies:
Connecticut
While we previously covered the scope and applicability of the CTDPA here, companies should be aware that just a few weeks ago, the Connecticut state legislature amended the CTDPA by creating new data privacy requirements for consumer health data and children’s personal data.3 The provisions related to processing of consumer health data will take effect on July 1, 2023, whereas other provisions related to the use and processing of children’s data will go into effect in July and October of 2024. From the period of July 1, 2023-December 31, 2024, the Connecticut Attorney General will provide companies with a notice of alleged violations and a 60-day cure period, if the attorney general determines that a cure is possible. But beginning on January 1, 2025, the attorney general will have discretion on whether to grant a controller or processor an opportunity to cure.
Companies that have already begun preparing for compliance with the laws in Colorado and Virginia will likely still require additional updates to comply with the CTDPA. Below, we summarize the major differences between these laws and the key obligations from the CTDPA passed on May 10, 2022, and as amended on June 2, 2023.
Businesses should not delay in addressing some or all of these new obligations until July 1. Companies that updated their notice and practices for January 2023, when the CPRA and VCPDA went into effect, with the aim to be compliant throughout 2023 will almost certainly need to address the many developments since then and should revisit their compliance practices.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA, ColoPA, and CTDPA compliance efforts, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1] We previously covered the Colorado AG’s rulemaking process and pre-rulemaking considerations in the following Wilson Sonsini Alerts: “Colorado AG’s Office Announces Final Colorado Privacy Act Rules: Key Takeaways,” “Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General Announces Privacy Rulemaking,” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”
[2]Referred to as “cross-context behavioral advertising” in the CCPA.
[3]See passed Senate Bill 3 (enacted on June 2, 2023).
[4]Defines “consumer health data” as “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”