On July 7, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, making Colorado the third U.S. state to enact comprehensive data privacy legislation. Slated to go into effect on July 1, 2023, the CPA is similar in some respects to the privacy laws already passed by California (CCPA and CPRA) and Virginia (CDPA). The CPA generally follows the model set by Virginia’s law, providing “consumers” with certain privacy rights and imposing duties on the “controllers” and “processors” of those consumers’ personal data. However, it also contains important differences from both the Virginia and California laws that will put Colorado at the forefront of consumer privacy.
When and to Whom Does the CPA Apply?
Under the CPA, “consumer” means a Colorado resident acting in an individual or household context. It does not include an individual acting in an employment or commercial context, however, so the definition has a built-in exclusion for business-to-business and employment contexts.
The CPA applies only to “controllers,” defined as any person who, alone or jointly with others, determines the purposes for and means of processing personal data. For the CPA to apply, a controller must conduct business in Colorado and meet one of two thresholds: 1) controlling or processing the personal data of 100,000 or more consumers during a calendar year; and/or 2) drawing revenue from the sale of personal data and processing or controlling the personal data of 25,000 or more consumers. Personal data processed by a “processor” on behalf of a controller counts toward those thresholds.
The CPA contains several notable exclusions to applicability. Unlike California’s limited exclusion, the CPA contains a full exclusion for financial institutions subject to the federal Gramm-Leach-Bliley Act. The CPA also does not apply to some types of patient and health information governed by the Health Insurance Portability and Accountability Act (HIPAA).
Consumer Rights Under the CPA
The CPA grants Colorado consumers specific rights over how controllers process their personal data. In this case, personal data means “information that is linked or reasonably linkable to an identified or identifiable individual.” Publicly available or otherwise anonymized information and employment records are not included within this definition. The rights afforded to consumers include: the right to opt out of certain processing of personal data, the right to gain access to personal data, the right to rectify incorrect personal data, the right to delete personal data, and the right to data portability. Consumers can exercise these rights by submitting formal requests, which controllers must then act upon within 45 days.
Duties Assigned to Controllers and Processors
Under the CPA, the duties of controllers include:
- The duty of transparency: Controllers will need to ensure that their privacy policies clearly and meaningfully disclose specific types of practices, as well as the manner in which consumers may exercise their rights. Unlike the California privacy law, the CPA does not require a “Do Not Sell My Information” page, but Colorado’s attorney general is expected to promulgate rules that will expound on the technical specifications for one or more universal opt-out mechanisms.
- The duty of purpose specification: Data must be collected for a narrowly tailored and specific purpose. A vague or indeterminate “usefulness” at some point in the future is not sufficient.
- The duty of data minimization: Similar to the duty of purpose specification, the collected data should be sufficient to meet the specified purpose and no more.
- The duty to avoid secondary use: Controllers should avoid secondary uses of data that would violate the CPA if they were primary uses.
- The duty of care: Controllers must exercise “reasonable care” during both the collection and storage of data.
- The duty to avoid unlawful discrimination: Data collected must not be used for an unlawful discriminatory purpose.
- Duties regarding “sensitive” data: Controllers need to obtain consent to collect personal data revealing religious beliefs, racial or ethnic origin, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child. In the case of a child below 13 years old, consent should be given by the child’s parent or legal guardian.
Processors are required to follow the controller’s instructions and aid the controller in fulfilling its obligations under the CPA. Processors must also enter into a contract with the controller spelling out various criteria relating to what personal data will be processed, how it will be processed and retained, and audit/compliance rights.
Data Protection and Data Security Assessments
Processors and controllers alike are required to implement appropriate organizational and technical measures to ensure a level of security that appropriately corresponds to the risk. For many businesses, this type of data security requirement already exists for personally identifiable information under Colorado’s data security law. Companies should assess this carefully, however, as the definition of “personal data” under the CPA is significantly broader than personally identifiable information under Colorado’s data security law.
A new requirement of the CPA is the performance of “data protection assessments” for controllers whose processing creates an elevated chance of consumer harm. Processing that presents a heightened risk of harm is defined to include processing for the purpose of targeted advertising and profiling, selling personal data, and processing sensitive data. When performing the data protection assessment, controllers must weigh the benefits against the risks to the rights of the consumer, as well as potential safeguards that may reduce those risks. Controllers must make the data protection assessments available to the state’s attorney general upon request.
Rulemaking and Enforcement
In contrast to Virginia’s law, the CPA provides the attorney general with the authority to promulgate rules for the purpose of carrying out the CPA. Whereas the authority to promulgate rules generally implies discretion, the attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms no later than July 1, 2023. The attorney general also has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA. This must be done by January 1, 2025, if at all.
The CPA does not provide for a private right of action. Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties of up to $20,000 for each violation, with each consumer involved constituting a separate violation. The maximum penalty is $500,000 for one related series of violations.
Although the Colorado Privacy Act does not go into effect until 2023, businesses should, at minimum, begin ensuring that they have a full grasp of their data collection, usage and documented policies so that they are well-prepared to meet their compliance obligations.