On the final day of its 2021 legislative session, the “melon capital of the world,” otherwise known as the state of Colorado, got the stamp of approval to implement the third comprehensive consumer privacy law in the United States.
Signed into law by Governor Jared Polis on July 7th, the Loi sur la protection de la vie privée du Colorado (CPA) takes on particular significance in light of the recent failures of similar proposed laws in Washington, Florida, and New York — and as the clock continues to run on similar efforts in other state legislatures.
What Is the Colorado Privacy Act (CPA)
The CPA is modeled on the failed Loi sur la protection de la vie privée de l'État de Washington et Virginia Consumer Data Protection Act (CDPA), with some key differences.
The law applies to “data controllers” that conduct business in Colorado, or provide products or services that are intentionally targeted to residents of Colorado — and either:
- control or process the personal data of 100,000 or more Colorado residents annually; or
- derive revenue or receive a discount on the price of goods or services from the “sale” of données personnelles, and process or control the personal data of 25,000 or more Colorado residents.
CPA Scope and Exemptions
The CPA defines “consumer” as an individual who is a Colorado resident acting in an individual or household context. As it does not include an individual acting in a commercial or employment context, the law has a built-in exclusion for the employment and business-to-business contexts.
Unlike the California model’s limited exclusion under the Loi californienne sur la protection de la vie privée des consommateurs (CCPA), Colorado’s CPA contains several substantive exclusions, including a full exclusion for financial institutions that are subject to the federal Loi Gramm-Leach-Bliley (GLBA). When it comes to health data covered by the Health Insurance Portability and Accountability Act (HIPAA), however, the CPA does not include full exclusion for soins de santé organizations — only certain types of health and patient information.
Data Definitions Under CPA
Personal data — Under CPA, personal data means: “information that is linked or reasonably linked to an identified or identifiable individual.”
Données sensibles — CPA defines données sensibles as:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sex life or sexual orientation, or citizenship status
- genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- personal data from a known child
Unlike Virginia’s CDPA and California’s upcoming California Privacy Rights Act (CPRA), this definition for sensitive data does not include precise geolocation, presenting a material difference for controllers in how they tag and label their data based on state residency. Note that controllers may only process sensitive data with consumer consent — or parental consent given by a child’s parent or legal guardian.
Colorado Privacy Act Requirements
Droits des données
Colorado consumers can exercise their droits sur les données by submitting formal requests, and controllers must act on a request within 45 days. Consumer rights with respect to personal data include the right to:
- opt out of certain processing of personal data
- access personal data
- correct inaccurate personal data
- delete personal data; and
- data portability
Controllers have additional transparency requirements in which they must clearly and meaningfully disclose specific types of practices — as well as the manner in which consumers may exercise their rights.
The CPA does not specifically require a “do not sell my information” page like the California law, but the Colorado Attorney General is expected to announce rules that detail technical specifications for one or more “universal opt-out mechanisms.”
Exigences pour les responsables du traitement des données
Évaluations de la protection des données — The proposed CPA obligates controllers to conduct data protection assessments involving personal data with respect to each of the following processing activities:
- le traitement des données personnelles à des fins de publicité ciblée
- la vente de données personnelles
- le traitement de données à caractère personnel à des fins de profilage lorsque ce profilage présente un risque raisonnablement prévisible de préjudice important pour les consommateurs
- le traitement des données sensibles
- toute activité de traitement impliquant des données personnelles qui présente un risque accru de préjudice pour le consommateur
Purpose Specification — A controller must specify the express purpose for which personal data is collected and processed — a requirement that falls in line with the EU’s Règlement général sur la protection des données (RGPD) and the Fair Information Practice Principles.
Minimisation des données — A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed.
Duty to Avoid Secondary Use — A controller cannot process personal data for purposes that are not reasonably necessary or compatible with the specified purposes for which the personal data is processed without first obtaining consent.
Duty of Care — The duty of care segues into security requirements. Both controllers and processors must implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk. For many companies, this type of data security requirement already exists for Informations personnelles identifiables (IPI) under Colorado’s data security law. However, the definition of “personal data” under the CPA is significantly broader than PII under Colorado’s data security law.
Exigences supplémentaires pour les sous-traitants de données
As with Virginia’s CDPA and the EU’s GDPR, processors are required to adhere to obligations under the CPA — and assist controllers in meeting those obligations. This also requires a written contract specifying:
- what personal data will be processed
- how the data will be processed and retained
- audit/compliance rights
CPA Enforcement and Effective Date
Like Virginia’s CDPA, Colorado’s CPA is enforceable through civil actions brought by the state attorney general. Though there is no private right of action for consumers, the attorney general and district attorneys will have exclusive enforcement powers, which can result in up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.
Similar to the California law, the Colorado Attorney General has the authority to promulgate rules for the purpose of carrying out the CPA. In addition, the attorney general is explicitly required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023. And if it so chooses, the AG office can also create its own rules and guidance to help businesses comply with CPA — and those rules must be published by January 2025.
For companies that are complying with a state privacy regulation for the first time, CPA will require significant changes. The Colorado AG’s rules will provide more guidance, but businesses should begin ensuring that they have a full grasp of their data collection, usage, and documented policies now — so they can prepare to meet their compliance obligations in the future.
While companies already subject to CPRA, CDPAet GDPR will have a leg up in preparing for the new law, coming up with a proactive strategy for compliance with CPA’s unique provisions — and its integration in the matrix of existing privacy regulations — will be key.
Obtenez un Démonstration 1:1 to see how BigID helps organizations address upcoming requirements for CPA compliance — and build a proactive privacy program for current and emerging règlements.
Auteur
