Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which the Act will become effective July 1, 2023, giving covered entities roughly two years to become compliant.

While the ColoPA draws heavily from Virginia’s Consumer Data Protection Act (“VDPA”), the California Privacy Rights Act of 2020 (“CPRA”), which amends and expands the California’s Consumer Privacy Act (“CCPA”), and the European Union’s General Data Protection Regulation (“GDPR”), there are material differences amongst these laws. Without federal legislation that includes preemption, it is likely that states will continue to enact privacy laws and that such laws will continue to diverge from one another in nuanced ways. To combat rising compliance costs and growing uncertainty for covered entities, commissioners at the Federal Trade Commission have begun to discuss using their rulemaking authority to establish a unified privacy framework. Until that time, however, covered entities must remain informed of their obligations under each law applicable to them and adapt their privacy programs accordingly.

This alert memorandum summarizes key elements of the Act while highlighting its similarities and differences with the CCPA/CPRA, VDPA and GDPR.