On July 7, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA). By enacting the CPA, Colorado becomes the third state in the nation to implement a generally applicable consumer data privacy law, after California with the California Consumer Privacy Act (CCPA) and Virginia with the Virginia Consumer Data Protection Act (VCDPA). While the CPA is similar to the CCPA and VCDPA in many respects, it has a different scope and different obligations than those two laws. Accordingly, impacted businesses must conduct a separate scope analysis, and, if subject to the CPA, they will need to set up different business rules to comply with the law.
The CPA applies to person(s) that conduct business in Colorado or that produce products or services that are intentionally targeted to Colorado residents and that either (1) control or process personal data of at least 100,000 Colorado residents during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 Colorado residents. The CPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or orientation, citizenship or citizenship status, and personal data from a known child.
However, the CPA does not apply to, among other things:
- financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
- certain activities regulated by the Fair Credit Reporting Act;
- information on persons acting in a commercial or employment context;
- deidentified data or, in some contexts, pseudonymous data; or
- publicly available information.
The CPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA and VCDPA. Under the CPA, consumers have the right to:
- confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
- access their personal data;
- correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
- delete personal data concerning them;
- obtain a portable copy of personal data that they access from the controller;
- opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and
- appeal a refusal to take action on a request to exercise a right under the CPA.
The CPA also requires controllers to adopt and offer, by July 1, 2024, a universal opt-out mechanism to allow consumers to opt out of the sale of personal data and opt out of the processing of personal data for purposes of targeted advertising under technical specifications to be established by the Colorado attorney general.
The CPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.
Under the CPA, controllers must, among other things:
- provide a Privacy Notice containing specific disclosures, including the categories of personal data collected, processed, and shared, the purposes for which personal data are collected and processed, the categories of third parties with whom the controller shares personal data, and, if selling personal data or processing personal data for targeted advertising, a clear and conspicuous disclosure of the sale or processing and how a consumer can opt out;
- limit processing personal data to what is adequate, relevant, necessary, reasonable, and proportionate in relation to the specified purposes for which such personal data is processed;
- not process personal data for purposes that are not reasonably necessary or compatible with specified purposes, unless the controller obtains consumer consent;
- take reasonable measures to secure personal data during both storage and use from unauthorized acquisition;
- not process personal data in violation of discrimination laws; and
- not process sensitive data without consent.
The CPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes engaging in the following activities:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
- the processing of sensitive data.
A processor must follow a controller’s instructions and must assist the controller in:
- responding to consumer rights;
- meeting data security and breach notification obligations; and
- providing information to enable the controller to conduct and document data protection assessments.
There are also requirements for contracts between controllers and processors as well as requirements for engaging subcontractors.
The Colorado attorney general and district attorneys have exclusive authority to enforce the CPA. The attorney general and DAs may seek civil penalties of up to $20,000 for each violation of the CPA, in addition to injunctive relief. The CPA provides for a 60-day right to cure.
The CPA does not provide for a private right of action.
The CPA will become effective on July 1, 2023.