Four states passed new privacy bills in April of 2023: Iowa, Indiana, Montana, and Tennessee. While these new laws appropriately receive appreciable attention, the earliest any of them will go into effect is July 1, 2024. Meanwhile, the Colorado Privacy Act and Connecticut Personal Data Privacy and Online Monitoring Act both become effective on July 1, 2023 which are far more pressing concerns for companies still updating their privacy regimes. Below are some brief highlights of these two state privacy laws.

Colorado Privacy Act (CPA)

The CPA mainly applies to companies that determine the purpose and means of processing personal data (“controllers”) that conduct business in Colorado or intentionally target their products to Colorado residents if they either control or process personal data of at least 100,000 Colorado residents in one year or derives revenue or receives a discount on the price of goods or services from selling, processing, or controlling the personal data of 25,000 or more Colorado residents. There are limitations regarding commercial or employment contexts, as well as carveouts for data regulated by federal law, de-identified and pseudonymous data, and publicly available information.

The CPA’s requirements include privacy notices, explanation of and limitations to personal data processing, affirmative consent for processing certain sensitive data, affirmative consent requirements free of “dark pattern” interfaces, and data protection assessment requirements. Colorado consumers have the right to access, correct, delete, and transfer their personal data and may opt out of having their personal data processed for targeted advertising, sale, or profiling in certain circumstances. Engaging a data processor requires an agreement describing the data to be processed, duration, sub-processing restrictions, security and confidentiality requirements, and audit provisions.

Violation of the CPA constitutes a deceptive trade practice under Colorado law. Violators may be subject to injunctions prohibiting certain actions and civil penalties up to $20,000 per violation. There is no private right of action, so individual consumers cannot bring their own lawsuits to enforce the CPA. Businesses have a 60 day period to cure following notice of violation, although this provision ends January 1, 2025.

Connecticut Personal Data Privacy and Online Monitoring Act (“CTDPA”)

The CTDPA applies to companies that determine the purpose and means of processing personal data (“controllers”) that conduct business in Connecticut or intentionally target their products to Connecticut residents if they either control or process personal data of at least 100,000 Connecticut residents and derived over 25% of gross revenue from personal data sales. It includes significant restrictions for service providers who process personal data for businesses covered by the CTDPA. There are limitations regarding commercial or employment contexts, as well as carveouts for data regulated by federal law, de-identified and pseudonymous data, and publicly available information.

The CTDPA’s requirements include privacy notices, explanation of and limitations to personal data processing, affirmative consent for processing certain sensitive data, affirmative consent requirements that are not concealed in broad terms of use agreements, through “dark pattern” interfaces, using certain content interactions. Data protection assessment requirements are included. Connecticut consumers have the right to access, correct, delete, and transfer their personal data and may opt out of having their personal data processed for targeted advertising, sale, or profiling in certain circumstances. Additional limitations apply for consumers under 16 years old. Controllers may deny requests in certain circumstances, subject to an appeals process.  Engaging a data processor requires an agreement describing the data to be processed, duration, sub-processing restrictions, security and confidentiality requirements, and audit provisions.

Violation of the CTDPA constitutes an unfair trade practice under Connecticut law. Violators may be subject to injunctions prohibiting certain actions, restitution, disgorgement, and civil penalties up to $5,000 per violation. There is no private right of action, so individual consumers cannot bring their own lawsuits to enforce the CTDPA. Businesses have a 60 day period to cure after receiving a notice of violation, although this provision ends December 31, 2024.

About Providentia

Providentia exists to help scaling tech companies foresee the regulatory requirements that shape their business, build compliance into their products and make access to quality, tech-experienced legal support a competitive advantage. Providentia’s rich experience in the Silicon Valley tech industry guides every aspect of what we do, from the practice areas we focus on to our startup-accessible fee structure. We understand the unique environment that rapidly scaling technology companies face and have oriented our services towards providing the most practical, actionable and tech-relevant counsel. To get in touch with the team at Providentia to help you navigate your company’s legal challenges, please contact us.