Does Your Company Need a Privacy Policy?

April 19, 2022

By: Angie M. Fletcher

Employment law often intersects with other fields of law, particularly corporate law. For instance, often when an executive enters into an employment agreement with a company, it involves the granting of stock or stock options. Like any legal issue, this needs to be carefully documented to make sure that both parties are getting what they bargained for, and there are no misunderstandings or disputes. Corporate attorneys can be very helpful in such situations. There are many other examples. Below, Angie Fletcher of Fairfield and Woods’ Corporate Department tells us about a new data privacy law, which could pose a challenge for a business operating in Colorado. 


On the heels of other countries and states enacting their own privacy laws, the Colorado Privacy Act will soon go into effect July 2023. The recent wave of privacy legislation took off in 2018, with the European Union (EU) implementing the General Data Protection Regulation (GDPR). Companies that target or collect data on EU residents are required to comply with the GDPR privacy obligations. More information about the GDPR can be found here. Also in 2018, California became the first US state to enact its own set of privacy laws, the California Consumer Privacy Act (CCPA), which expanded consumers’ rights to access and control their personal data. Virginia passed its Consumer Data Protection Act (VCDPA) in 2021 which will take effect in January 2023. These privacy laws grant rights to their residents and permit them to access, correct, delete or obtain a copy of their personal data and opt out of the business’s personal data usage.  

Similarly, the Colorado Privacy Act (CPA) seeks to protect and enforce consumers’ rights to privacy. The CPA impacts any business producing or delivering commercial products or services in Colorado. More specifically, if a business intentionally targets residents of Colorado and (1) controls or processes the personal data of at least 100,000 individuals or more during a calendar year or (2) derives revenue or receives a discount on goods or services in exchange for the sale of personal data of at least 25,000 individuals, that business will be required to comply with the Colorado Privacy Act. More information about the Colorado Privacy Act can be found here.

Enforcement of the privacy laws vary, but businesses can expect to incur damages of up to $7,500 for each intentional violation in California and Virginia, and up to $20,000 for each violation in Colorado. One of the best ways to protect your business from these fines is to adopt and implement a privacy policy that can be accessed by consumers. Those who conduct business in Colorado should consult competent counsel and consider whether they need a privacy policy to address the CPA.