The CPA is the latest addition to a growing list of state privacy laws in the United States, following in the footsteps of California's Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA).
Signed into law on July 7, 2021, and scheduled to go into effect on July 1, 2023.
The CPA applies to organizations that conduct business in Colorado or produce products or services targeted to Colorado residents and that either control or process the personal data of 100.000 or more Colorado residents annually or derive revenue from the sale of personal data and control or process the personal data of 25.000 or more Colorado residents.
One notable difference between the CPA and other state privacy laws is that the CPA does not include a private right of action, which means that individuals cannot sue organizations for violations of the CPA.
The CPA provides enforcement authority to the Colorado Attorney General's office and allows for civil penalties of up to $20,000 per violation, with a cap of $500,000 per event.
The Data Protection Act (DPA) is a UK law that regulates how personal data is collected, processed, and used. The DPA was first introduced in 1984 and has since been updated to reflect changes in technology and data processing practices and incorporates the provisions of the European Union's General Data Protection Regulation (GDPR) into UK law.