On the final day of its 2021 legislative session, the “melon capital of the world,” otherwise known as the state of Colorado, got the stamp of approval to implement the third comprehensive consumer privacy law in the United States.
Signed into law by Governor Jared Polis on July 7th, the Colorado Privacy Act (CPA) takes on particular significance in light of the recent failures of similar proposed laws in Washington, Florida, and New York — and as the clock continues to run on similar efforts in other state legislatures.
What Is the Colorado Privacy Act (CPA)
The law applies to “data controllers” that conduct business in Colorado, or provide products or services that are intentionally targeted to residents of Colorado — and either:
- control or process the personal data of 100,000 or more Colorado residents annually; or
- derive revenue or receive a discount on the price of goods or services from the “sale” of personal data, and process or control the personal data of 25,000 or more Colorado residents.
CPA Scope and Exemptions
The CPA defines “consumer” as an individual who is a Colorado resident acting in an individual or household context. As it does not include an individual acting in a commercial or employment context, the law has a built-in exclusion for the employment and business-to-business contexts.
Unlike the California model’s limited exclusion under the California Consumer Privacy Act (CCPA), Colorado’s CPA contains several substantive exclusions, including a full exclusion for financial institutions that are subject to the federal Gramm-Leach-Bliley Act (GLBA). When it comes to health data covered by the Health Insurance Portability and Accountability Act (HIPAA), however, the CPA does not include full exclusion for healthcare organizations — only certain types of health and patient information.
Data Definitions Under CPA
Personal data — Under CPA, personal data means: “information that is linked or reasonably linked to an identified or identifiable individual.”
Sensitive data — CPA defines sensitive data as:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sex life or sexual orientation, or citizenship status
- genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- personal data from a known child
Unlike Virginia’s CDPA and California’s upcoming California Privacy Rights Act (CPRA), this definition for sensitive data does not include precise geolocation, presenting a material difference for controllers in how they tag and label their data based on state residency. Note that controllers may only process sensitive data with consumer consent — or parental consent given by a child’s parent or legal guardian.
Colorado Privacy Act Requirements
Colorado consumers can exercise their data rights by submitting formal requests, and controllers must act on a request within 45 days. Consumer rights with respect to personal data include the right to:
- opt out of certain processing of personal data
- access personal data
- correct inaccurate personal data
- delete personal data; and
- data portability
Controllers have additional transparency requirements in which they must clearly and meaningfully disclose specific types of practices — as well as the manner in which consumers may exercise their rights.
The CPA does not specifically require a “do not sell my information” page like the California law, but the Colorado Attorney General is expected to announce rules that detail technical specifications for one or more “universal opt-out mechanisms.”
Requirements for Data Controllers
Data Protection Assessments — The proposed CPA obligates controllers to conduct data protection assessments involving personal data with respect to each of the following processing activities:
- the processing of personal data for purposes of targeted advertising
- the sale of personal data
- the processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers
- the processing of sensitive data
- any processing activities involving personal data that present a heightened risk of harm to the consumer
Purpose Specification — A controller must specify the express purpose for which personal data is collected and processed — a requirement that falls in line with the EU’s General Data Protection Regulation (GDPR) and the Fair Information Practice Principles.
Data Minimization — A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed.
Duty to Avoid Secondary Use — A controller cannot process personal data for purposes that are not reasonably necessary or compatible with the specified purposes for which the personal data is processed without first obtaining consent.
Duty of Care — The duty of care segues into security requirements. Both controllers and processors must implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk. For many companies, this type of data security requirement already exists for Personally Identifiable Information (PII) under Colorado’s data security law. However, the definition of “personal data” under the CPA is significantly broader than PII under Colorado’s data security law.
Additional Requirements for Data Processors
As with Virginia’s CDPA and the EU’s GDPR, processors are required to adhere to obligations under the CPA — and assist controllers in meeting those obligations. This also requires a written contract specifying:
- what personal data will be processed
- how the data will be processed and retained
- audit/compliance rights
CPA Enforcement and Effective Date
Like Virginia’s CDPA, Colorado’s CPA is enforceable through civil actions brought by the state attorney general. Though there is no private right of action for consumers, the attorney general and district attorneys will have exclusive enforcement powers, which can result in up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.
Similar to the California law, the Colorado Attorney General has the authority to promulgate rules for the purpose of carrying out the CPA. In addition, the attorney general is explicitly required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023. And if it so chooses, the AG office can also create its own rules and guidance to help businesses comply with CPA — and those rules must be published by January 2025.
For companies that are complying with a state privacy regulation for the first time, CPA will require significant changes. The Colorado AG’s rules will provide more guidance, but businesses should begin ensuring that they have a full grasp of their data collection, usage, and documented policies now — so they can prepare to meet their compliance obligations in the future.
While companies already subject to CPRA, CDPA, and GDPR will have a leg up in preparing for the new law, coming up with a proactive strategy for compliance with CPA’s unique provisions — and its integration in the matrix of existing privacy regulations — will be key.