Data Privacy Rights Expand as Colorado, Connecticut Laws Go Live

Consumer data privacy laws in Colorado and Connecticut come into effect July 1, expanding the assortment of state-level requirements businesses throughout the country will have to comply with.

The two states follow privacy laws already in effect in California—with enforcement of its latest regulations also starting next month—and Virginia that aim to give consumers more rights over how companies collect and use their data, including options to limit use of their personal information or ask that companies delete it. Utah will be next to implement its privacy law at the end of this year, while Tennessee, Indiana, and other states recently enacted comprehensive privacy measures.

State privacy laws pose a moving target for companies trying to comply with all of them, said Brandon Robinson, partner and chair of the data privacy and security practice at Balch & Bingham LLP. The laws generally create similar new rights for consumers, such as the right to know what data a company collects and the right to correct that data, but differ in specific requirements.

“I do think there is a level of anxiety out there about wanting to be compliant with these,” Robinson said. “And I think some of the concern is that every week, we turn on our email, and there’s a new one that’s passed that’s similar but slightly different.”

State Differences

The Colorado and Connecticut laws apply to entities that do business in the states or target their residents if they meet specified data sale or processing thresholds, with some exceptions. Colorado diverges from other state privacy laws by covering nonprofit organizations in addition to companies.

Privacy law concepts are becoming increasingly familiar to companies, especially as many businesses already fall under existing requirements, said Tara Cho, partner and chair of the privacy and cybersecurity practice at Womble Bond Dickinson LLP. Still, state laws each have their own nuances, she said.

California is the only state to create a new regulatory agency to implement its privacy law. Colorado also took a more prescriptive approach to its privacy law through rules that provide additional information on its requirements, Cho said. Laws in Connecticut and Virginia, on the other hand, didn’t include rulemaking authority.

“There’s a lot less detail about the ‘how,’” Cho said of Connecticut and Virginia.

Colorado also has some new concepts in its regulations, such as provisions regarding loyalty programs and data protection impact assessments, said Christian Auty, partner at Bryan Cave Leighton Paisner LLP who advises clients on privacy issues in sectors such as retail and hospitality.

Connecticut could expand privacy protections this year beyond its comprehensive consumer law. A measure passed by both legislative chambers would create new rights related to health data and the personal data of minors.

“It’s already a moving target as we approach the effective date,” Cho said.

Regulator Guidance

Privacy attorneys are watching how regulators implement the new laws. The attorney general will enforce Connecticut’s law while the attorney general and local district attorneys have enforcement power in Colorado. Both state laws include temporary periods that allow companies to be notified of fixable violations and remedy them before facing penalties.

“I think most practitioners will be looking to glean any knowledge or insights from potential enforcement actions,” Cho said.

How state privacy laws will be interpreted and applied is still unclear in many cases, Auty said. Practitioners are helping their clients make good-faith efforts to comply with them as well as prepare to adapt to new regulatory and enforcement information, he said.

“The guidance that we get is going to be really invaluable,” Auty said.

The 60-day window to fix violations in both Connecticut and Colorado can be used to address “differences of opinion,” but companies should be compliant as soon as possible based on the information they already have, Robinson said. That compliance flexibility sunsets at the end of 2024.

“We need to get some basics in place and lay that foundation for knowing where your data is, what you do with it, reviewing your contracts, and having the mechanisms in place to respond to consumer requests and to receive them,” he said.