Colorado Becomes the Third State to Pass a Comprehensive Consumer Privacy Law – Everything You Need to Know

Colorado Governor, Jared Polis, signed the Colorado Privacy Act (CPA) into law on July 7, 2021. The CPA became the third comprehensive consumer privacy legislation passed in the United States, after the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Privacy Act (CDPA).

The CPA will grant Colorado consumers the right to access, correct, delete, port, and opt out of certain processing of their personal data. The CPA will also require covered entities to provide privacy policy disclosures and create data protection assessments for certain types of processing activities.

What to Know About The CPA

Who Does The CPA Apply To?

The CPA applies to any organization that conducts business or produces products or services targeted to Colorado residents and that meets at least one of the following:

• controls or processes the personal data of at least 100,000 consumers or more during a calendar year;
• derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

The definition of a “consumer” under the CPA is notably narrower than the CCPA, and only includes a Colorado resident acting in an individual or household context. Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.

CPA Obligations for Businesses

The CPA defines a data controller as an entity thatdetermines the purpose and means of processing personal data. The following obligations apply to controllers and processors under CPA:

• Clear Privacy Notice – controllers must provide consumers with a privacy notice that is reasonably accessible, clear and meaningful.
• Duty of Purpose Specification – controllers must specify the express purposes for which they are collecting and processing personal data.
• Data Minimization –  the CPA institutes a policy of data minimization where “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
• Avoid Secondary Use- controllers shall not process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”
• Duty of Care – Controllers must take reasonable measures to secure personal data from unauthorized acquisition during storage and use.
• Avoid Unlawful Discrimination – the CPA prohibits a controller from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
• Sensitive Data Protections – controllers must provide opt-in consent for the processing of “sensitive data,” defined as data that reveals information about race, gender, ethnicity, religious beliefs, sexuality or citizenship, as well as genetic or biometric data
• Data processing contracts – the CPA requires processing performed by a processor must “be governed by a contract between the controller and the processor.” These contracts must establish “the processing instructions to which the processor is bound, including the nature of the processing, … the type of personal data subject to the processing, and the duration of the processing,” along with other legal obligations.
• Data protection assessments – controllers may not process activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities,”

When Does Enforcement Begin for The CPA?

The CPA is set to go into effect on July 1, 2023.

Consumer Rights Under CPA

The CPA provides consumers with the following rights:

• Right of Access
• Right to Correction
• Right to Deletion
• Right to Data Portability
• Right to Opt-Out

The CPA provides consumers with the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. This opt out right is similar to that found in the VCDPA; however, Colorado defines “sales” using a broader CCPA-style definition that includes transfers for “monetary or other consideration.”

Universal Opt-Out

Starting in 2024 Colorado consumers will be able to click a universal opt-out button to activate all opt-out rights. This mechanism under CPA appears to go farther than the CCPA and the VCDPA in terms of exercising opt-out rights.

Colorado’s Attorney General is set to establish technical requirements for the universal opt-out mechanism in 2024, which will apply both to sales of data as well as targeted advertising.

Written Data Protection Assessments

Colorado’s new law requires that data controllers conduct written data protection assessments for processing activities that present a “heightened risk of harm to a consumer.” This includes processing sensitive data, selling personal data, and processing personal data for targeted advertising or profiling that presents a reasonably foreseeable risk of:

• Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
• Financial or physical injury to consumers;
• A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
• Other substantial injury to consumers.

Beginning July 1, 2023, controllers will be required to make these written assessments available upon request to the Colorado Attorney General for compliance evaluations.

Enforcement and Penalties

There is no private right of action under the CPA. Instead enforcement power resides with the Attorney General and Colorado District Attorneys. This cure period will be automatically repealed on January 1, 2025. A violation of the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act and thus subject to injunctive relief and civil penalties of up to $20,000 per violation.

For the first two years after the law is enacted, entities will have a 60-day notice and cure period to remedy any violations of the law before the Colorado Attorney General or District Attorneys can initiate an enforcement action. This is much longer than Virginia and California’s cure period, which is limited to 30 days. After two years, controllers will no longer be entitled to cure prior to attorney general action.

Sources Cited:

Full text of the Colorado Privacy Act – https://leg.colorado.gov/sites/default/files/documents/2021A/bills/2021a_190_enr.pdf

“Colorado Privacy Act Becomes Law” by Sarah Rippy. Link – https://iapp.org/news/a/colorado-privacy-act-becomes-law/

“Colorado Becomes Third State to Pass a Comprehensive Privacy Law” by Cooley Alert. Link – https://www.cooley.com/news/insight/2021/2021-07-08-colorado-becomes-third-state-to-pass-a-comprehensive-privacy-law

“Colorado Enacts Comprehensive Privacy Law” by Stevie DeGroff. Link – https://www.jdsupra.com/legalnews/colorado-enacts-comprehensive-privacy-2905554/