On Thursday, July 8, 2021, Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, making Colorado the third state in the U.S., joining Virginia and California, to adopt its own set of comprehensive privacy laws aimed at protecting the personal and sensitive data of its residents. Enforcement of the CPA will not begin until July 1, 2023, giving businesses time to ensure that they are compliant with CPA requirements.
CPA highlights & key takeaways
The good news is that the CPA is similar to the Virginia Consumer Data Protection Act (“VCDPA”), the California Consumer Privacy Act (“CCPA”), and the California Privacy Rights Enforcement Act (“CPRA”). As such, your business may already have the processes and infrastructure in place to begin adjustment in business practices to ensure compliance with the CPA. Below is a list of notable differences and key takeaways every business should be aware of while collecting, selling, processing, and using Colorado consumer personal and sensitive data:
Applicability of the CPA
The CPA seeks to protect the personal and sensitive data of Colorado consumers. “Consumers” under the CPA is limited to Colorado residents acting in an individual or household context. “Consumers” under the CPA do not include residents acting in a commercial or employment context.
Similar to the European General Data Protection Regulation, the CPA adopts the controller-processor framework. The CPA applies to all businesses (a) conducting business in Colorado or (b) producing products or services aimed at Colorado consumers, when such businesses meet one or both of the following thresholds: (x) controls or processes the personal data of 100,000 or more Colorado consumers in a calendar year and/or (y) derives revenue or receives discounts from selling personal data and/or processes or controls the personal data of 25,000 or more Colorado residents.
The CPA does not define what is considered “conducting business,” similar to the VCDPA, CCPA, and CPRA.
Note that unlike the CCPA and CPRA, the CPA does not have a revenue threshold—meaning that it applies to all businesses (including nonprofit organizations) that meet the requirements above, provided such business type is not exempt.
The CPA does not apply to certain specified entities, such as air carriers, as well as personally identifiable information collected pursuant to certain federal and state laws including, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act.
Consumer rights under the CPA
Under the CPA consumers have certain rights with respect to the processing of their personal and sensitive data, including:
The right to access, correct, delete, or request a copy of their personal data in a portable format.
The right to opt out of the sale of their personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The right to opt-in to the processing of sensitive data, which includes, but is not limited to data that identifies racial or ethnic origin, religious beliefs, citizenship or citizenship status, and sexual orientation. This right also applies to children’s data and genetic or biometric data used to uniquely identify a person.
Duties & obligations of businesses regulated by the CPA
Controllers are required to conduct and document all data protection assessments for activities that pose a reasonably foreseeable heightened risk of harming consumers.
Controllers and processors are required to contractually document their relationship. Contracts must include certain information and provisions that, among other requirements:
defines the type of data subject to, and duration of, the processing;
imposes confidentiality obligations on the persons engaged in processing;
gives the controller an opportunity to object to the use of subcontractors;
imposes a requirement that any subcontractors processing personal data must be bound by the same obligations, by way of written agreement, as the processor under the underlying agreement; and
imposes security requirements on both parties.
Controllers must respond within forty-five (45) days to an authenticated consumer request for his/her/they/them personal data, which can be extended by forty-five (45) additional days where reasonably necessary. Controllers must create a process to address consumers’ appeals to a controller’s unresponsiveness to a given request.
Controllers selling personal data or using it for targeted advertising, must have privacy notices that “clearly and conspicuously” disclose that fact and how consumers can opt out. Opt-out information must be provided in a “readily accessible location outside the privacy notice.” Note that the regulations do not specify how controllers must present consumers with these opt-out rights. By July 1, 2024, consumers must be permitted to opt out of the sale of their data or its use for targeted advertising through a “user-selected universal opt-out mechanism” determined by the attorney general.
Controllers must allow consumers to opt into the use of their sensitive data (defined above), before processing such data.
- Enforcement under the CPA
Under the CPA, Colorado’s Attorney General and state district attorneys are responsible for enforcing the provisions of the CPA, subject to a 60-day cure period for any alleged violations of the CPA. Such cure-period is currently available to businesses until 2025. The Colorado Attorney General is authorized to adopt rules regarding issuing opinion letters and guidance that businesses may rely on in good faith, creating a defense for businesses against an alleged violation of the CPA.
Although the CPA preempts any local or county Colorado laws and does not provide consumers with a private right of action, a violation of the CPA would be considered a deceptive trade practice under the Colorado Consumer Protection Act (the “Act”). Violations under the Act may result in the imposition of civil penalties of up to $2,000 per violation (i.e., per consumer and per transaction) with a maximum penalty of $500,000 for related violations.
The key takeaways above provide a high level summary highlighting some of the requirements of the CPA. Businesses should ensure that they not only understand and comprehend these key takeaways, but also ensure that they are compliant with all of the duties and obligations applicable to processors and controllers engaged in the sale and use of Colorado residents’ personal and sensitive data. As more states begin to adopt their own privacy laws aimed at protecting the personal data of their residents, businesses should continue to create a data privacy and cybersecurity infrastructure that provides clear notices to consumers regarding the use and sale of their personal data and continue to stay abreast of the changing privacy landscape in the U.S.