On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy Act following Gov. Jared Polis, D-Colo., signing the bill. In passing the law, Colorado became the third U.S. state, following California in 2018 and Virginia earlier this year, to enact comprehensive privacy legislation.
Overview
As outlined by IAPP staff writer Joe Duball, the substance of the law is not particularly groundbreaking. Those who have reviewed the failed Washington Privacy Act and the Virginia Consumer Data Protection Act will find it familiar. Regarding the basic framework, the CPA followed the trend of adopting a WPA-like controller/processor approach rather than a California Consumer Privacy Act-like business/service provider distinction.
Scope
The scope of the CPA is reminiscent of the CDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:
- “Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”
The scope of the law is broader in some senses and narrower in others compared to the CCPA and is slightly broader than the CDPA. Unlike the CCPA, the CPA does not include any revenue thresholds. Thus, a business cannot become subject to the law merely due to its annual revenues. However, the CPA extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data. Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.
The CPA defines a consumer as “a Colorado resident acting only in an individual or household context” and explicitly omits individuals acting in “a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” As is the case under the CDPA, controllers need not consider the employee personal data they collect and process when evaluating the law’s applicability.
Additionally, the “sale of personal information” is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Unlike the CDPA defining sale as data exchanged for monetary consideration only, the CPA’s definition of “sale” takes after the CCPA, under which a sale occurs when personal data is exchanged for “other valuable consideration” in addition to “monetary consideration.” In this sense, the CPA is more similar to the CCPA as controllers will be left to ponder what is “other valuable consideration.”
Importantly, the definition of “sale” explicitly excludes certain types of disclosures. These omissions are almost identical to those contained in the CDPA, albeit with slightly different language. These disclosures are:
- “Disclosures to a processor that processes the personal data on behalf of a controller.
- Disclosures of personal data to third party for purposes of providing a product or service requested by consumer.
- Disclosures or transfer or personal data to an affiliate of the controller’s.
- Disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
- Disclosure of personal data:
- That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
- Intentionally made available by a consumer to the general public via a channel of mass media.”
As with the CDPA, the CPA’s definition of personal data explicitly excludes any deidentified data or publicly available information. “Publicly available” means any “information that is lawfully made available from … government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
Exemptions
The CPA also sets forth categories of exempt data. Like the CDPA, these can be broken down into two main categories: entity-level exemptions and data-level exemptions. Entity-level exemptions are broader and, where they apply, the controllers need not comply with CPA obligations and rights regarding data they collect, even when the data would otherwise be included. The primary entity-level exemption under the CPA is for entities regulated by the Gramm-Leach-Bliley Act. Notably absent, however, is an entity-level exemption for HIPAA-regulated entities. While the law sets forth several pages of specific exemptions for health care controllers, it does not go so far as to fully exempt them from the law in the way the CDPA does.
Among the other notable exemptions are those related to deidentified information and information specifically regulated by other laws and therefore exempt from CPA obligations.
Consumer rights
The CPA provides five main rights for the consumer.
Right of access. Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
Right to correction. Consumers have “the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.”
Right to delete. Consumers have “the right to delete personal data concerning the consumer.”
Right to data portability. Consumers have “the right to obtain a personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
Right to opt out. Consumers have “the right to opt out of the processing of personal data concerning the consumer for purposes of:
- targeted advertising;
- the sale of personal data, or
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”
While this right to opt out isn’t substantively different from other bills this year, the CPA’s procedure for opting out is. The CPA mandates a controller provide consumers with the right to opt out and a universal opt-out option so a consumer can click one button to exercise all opt-out rights. Though what this means in practice is currently unclear, the law requires the Colorado attorney general to set forth technical standards before July 1, 2023.
Right to appeal. Like the CDPA, the CPA also provides consumers the right to appeal a business’ denial to take action within a reasonable time period. Under the CPA, a business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.
When a business fails to take action regarding a request to exercise rights or declines to respond, the CPA mandates the controller provide an appeal process that “must be conspicuously available and easy to use.” If an appeal is denied, the law requires the business to inform the consumer of their ability to contact the attorney general if they have “concerns about the result of the appeal.”
Obligations
The Colorado bill words its controller obligations slightly differently than its CCPA and CDPA predecessors. However, the obligations themselves are close analogs of one another.
Duty of transparency. As with its predecessors, the CPA mandates a controller provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” This notice must include:
- Categories collected or processed by controller or processor.
- Purpose(s) of processing the data.
- How to exercise rights and appeal.
- Categories of personal information shared.
- Categories of third parties data is shared with.
If sold to a third party or processed for targeted advertising, the controller shall “clearly and conspicuously disclose the sale or processing” as well as the opt-out mechanism.
Duty of purpose specification. When collecting personal data, a controller is required to “specify the express purposes for which personal data are collected and processed.”
Duty of data minimization. Just as Virginia instituted limits on collection, Colorado institutes a policy of data minimization where “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
Duty to avoid secondary use. Absent consent, the CPA dictates a controller shall not process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”
Duty of care. The CPA requires controllers take security precautions during storage and use of data by imposing a duty of care. Precautionary measures must be “appropriate to the volume, scope, and nature of the personal data processed.”
Duty to avoid unlawful discrimination. The law prohibits a controller from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
Duty regarding sensitive data. Controllers are likewise prohibited from processing sensitive data without consent. Consent must be “freely given, specific, informed, and unambiguous.”
Data protection assessments. Controllers may not process activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities,” and includes multiple examples.
Data processing contracts. Like the EU General Data Protection Regulation and CDPA, the CPA requires processing by a processor must “be governed by a contract between the controller and the processor.” These contracts must establish “the processing instructions to which the processor is bound, including the nature of the processing, ... the type of personal data subject to the processing, and the duration of the processing,” along with other legal obligations.
Enforcement
Unlike the CPA’s counterparts, enforcement falls not only to the attorney general but also district attorneys. While California now has a separate enforcement authority per the CPRA, almost every other proposed bill introduced in state legislatures this session would have limited enforcement authority to the state’s attorney general.
As it stands now, once the attorney general or district attorney decides to initiate an action, the office must then provide notice to the controller. The controller then has 60 days to cure the violation. This is a significant expansion of Virginia and California’s cure period, which is limited to 30 days. It is worth noting this right to cure exists as a two-year sunset provision and will cease to be required beginning January 1, 2025. After that, controllers will no longer be entitled to cure prior to attorney general action.
Interestingly, there is no strict fine guidance located explicitly within the statute. Because a violation of the CPA is considered a deceptive trade practice per the statute, the penalties are governed by the Colorado Consumer Protection Act. Thus, a noncompliant entity may be fined up to $20,000 per violation.
Conclusion
Although the CPA may not be particularly groundbreaking, it is significant by reflecting the growing trend of enhanced consumer privacy protections. On its face, the CPA is likely a bit stricter than the CDPA and a bit more lenient than the CCPA. The Colorado attorney general may still issue regulations. If California’s experience with CCPA regulations is any indication, we certainly have not heard the last updates out of Colorado. Here at the IAPP, we will keep a close eye on any developments and update you accordingly.
Photo by Andrew Coop on Unsplash