An Introduction to the Colorado Privacy Act
The latest in an emerging patchwork of state privacy legislation in the United States, Colorado recently passed and signed into law the Colorado Privacy Act (CPA). It is mostly an iteration of Virginia’s Consumer Data Protection Act (CDPA), also passed this year, but it has a few of its own unique features. It also takes a number of cues from the California Consumer Privacy Act (CCPA), America’s first comprehensive data privacy law.
The CPA goes into effect on July 1, 2023, but it’s not too early for businesses to start evaluating the new law and how it will affect their data privacy compliance strategy.
Who Must Comply With the Colorado Privacy Act?
Like the CDPA, the CPA borrows some of its terminology from the European Union’s General Data Protection Regulation (GDPR). Most of the law’s obligations fall on “controllers,” i.e., persons or entities that determine “the purposes for and means of processing personal data.” A controller must comply with the CPA if it (1) conducts business in Colorado or produces commercial products or services intentionally targeted to state residents and (2) meets one of the following criteria:
- Controls or processes the personal data of at least 100,000 Colorado consumers annually
- Controls or processes the personal data of at least 25,000 Colorado consumers and derives any revenue or receives a discount on products or services from the sale of personal data
This second threshold is unique to the CPA and has the potential to apply to more businesses than either the CCPA or CDPA. “Sale” is defined as any exchange of personal data for monetary or other valuable consideration. The “or other valuable consideration” component is taken from the CCPA, and as with the CCPA, it is vague and open to interpretation. However, this section of the law strongly suggests that a discount on products or services is considered valuable consideration, possibly qualifying many disclosures of personal data as sales. For example, if a business uses a free cloud-based software and enters consumers personal data into that program, that could be considered a discount; unless the exchange of data falls under one of the exceptions to the definition of selling, it may be a sale of personal data.
Who Is Protected by the CPA?
The CPA protects “consumers,” defined as Colorado residents acting in an individual or household capacity. It specifically does not include people acting in a commercial or employment context, so businesses do not have to extend CPA protections to their employees or B2B contacts. This is different from the CCPA, which currently has only a temporary exemption for employment and B2B data.
What Kind of Personal Information Is Covered?
The CPA applies to consumers’ “personal data,” defined as information that is “linked or linkable to an identified or identifiable individual.” This definition is comparable to language found in other privacy legislation and can encompass a wide variety of data. For this reason, the types of information specifically identified as not being personal data are very important. For example, publicly available information—information made available from government records or which the consumer has made widely available—is not considered personal data.
There are also numerous exemptions for entities and data that are already covered by federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA).
Controllers have several duties under the CPA. These duties are:
- Duty of Transparency - Controllers must post a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data processed
- The purposes for which the data is processed
- How and where consumers may exercise their privacy rights
- The categories of personal data shared with third parties
- The categories of third parties with whom they share personal data
- Disclosure of any sale of personal data or processing for targeted advertising, along with the method for opting out
- Duty of Purpose Specification - Controllers must identify the express purposes for processing personal data.
- Duty of Data Minimization - Collection of personal data should be adequate, relevant, and limited to what is reasonably necessary for the specified purposes.
- Duty to Avoid Secondary Use - Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes, without first obtaining the consumer’s consent.
- Duty of Care - Controllers must implement reasonable data security practices. appropriate to the volume, scope, and nature of the personal data being processed.
- Duty to Avoid Unlawful Discrimination - Controllers may not process personal data in violation of federal and state discrimination laws.
- Duty Regarding Sensitive Data - Controllers may only process sensitive data with the consumer’s consent (described in more detail below).
In addition to this list of duties, controllers must also respond to consumer requests with regard to their privacy rights.
Consumer Rights Under the CPA
The CPA creates several data privacy rights for consumers, all of which are familiar from the CDPA and CCPA.
- Right to Access – Consumers have the right to know whether a controller is processing personal data about them and to access that data
- Right to Portability – When exercising their right to access, consumers have the right to receive their data in a portable and readily usable format that allows them to easily transmit the data to another party
- Right to Delete – Consumers can request the deletion of their personal data, with some exceptions
- Right to Correction – Consumers can request a controller to correct inaccurate personal data it holds about them
- Right to Opt Out – Consumer can opt out of the sale of their personal data, the processing of their data for targeted advertising, and profiling in furtherance of decisions that produce legal or other significant effects for the consumer
As with the CDPA, any processing of “sensitive data” may only be done with the consumer’s prior consent. Sensitive data is:
- Personal data that reveals a person’s racial or ethnic origin, physical or mental health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data from a known child
A “child” is anyone under the age of 13. This is one area where the CPA and CDPA are more restrictive than the CCPA. Under the CCPA, a business must have consent before selling the personal information of consumers under the age of 16; the CPA requires a parent or guardian’s consent before any processing of a child’s personal data.
Consent must be “freely given, specific, informed, and unambiguous.” Among other things, this means that such consent cannot be buried in a larger set of terms and conditions. Consent also must be given by an affirmative act, so it probably cannot take the form of “By continuing to use this website you consent to the following…” (or some version of that). Nor can valid consent be obtained by “dark patterns,” user interfaces designed to subvert or impair user autonomy, decision making, or choice. A common example of a dark pattern is to make a button you want the user to click (“Yes, I agree”) much larger and more colorful than the button you don’t want them to click (“No, I don’t agree”).
Data Protection Assessments
Before conducting any processing that presents a “heightened risk of harm” to consumers, a controller must first complete a data protection assessment. A data protection assessment is a written document that weighs the benefits of the processing against any risks to the rights of the consumer, taking into account potential safeguards and other factors. Processing that presents a heightened risk of harm includes:
- Processing of personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Any processing that has a foreseeable risk of causing unfair or deceptive treatment, financial or physical injury, intrusion upon the solitude or private affairs of a consumer, or any other substantial injury
A controller’s data protection assessments must be made available to the Colorado Attorney General upon request, though they are confidential and exempt from public inspection.
Appealing a Controller’s Decision
Consumers may appeal a controller’s refusal to take action on a privacy request. This appeal is to the controller itself, not to a third party or governing body. For example, if a controller declines to delete some or all of a consumer’s personal data, citing one of the CPA’s exceptions, the consumer may contact the controller again and appeal that decision. This means that CPA compliance will require the establishment of an internal appeals process. There is no detailed guidance yet as to how such a process must work, but at a minimum it should involve forwarding the appeal to someone other than the person who handled the initial privacy request.
Enforcement of the Colorado Privacy Act
A unique characteristic of the CPA is that it may be enforced not only by the Colorado Attorney General, but by local district attorneys as well. One possible outcome of this decentralization is that enforcement may be more frequent than it is in other states. The statute does not set out its own structure for fines, instead stating that a violation of the CPA is a deceptive trade practice, which is punishable under state law by up to $20,000 per violation.
Before an enforcement action can commence, organizations must be given 60 days to cure any alleged violations. However, this mandatory cure period will only be in effect for the first 18 months, with a sunset date of January 1, 2025.
Like the CDPA, the CPA does not create a private right of action for consumers.
Get Ready for Privacy Compliance
The Colorado Privacy Act is part of a growing trend of state privacy laws that can have a great impact on how businesses operate. Trying to navigate this complicated web of rules will only get more complicated. TrueVault Polaris makes privacy compliance simpler and more cost effective. By automating time-consuming tasks and providing a guided software experience, TrueVault Polaris can help your business quickly get compliant and stay that way. Contact our team today to learn more.