Colorado Enacts Comprehensive Privacy Legislation

July.15.2021

Colorado is the third U.S. state to enact comprehensive consumer data privacy legislation with the passage of the Colorado Privacy Act (CPA) on July 7, 2021. The CPA will go into effect July 1, 2023, joining the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) in the steadily growing patchwork of state-enacted consumer data privacy legislation. The CPA’s key provisions are summarized below. However, we can expect the law may undergo further change before the effective date. In the signing statement, Colorado Governor Jared Polis noted the hastily drafted bill will require clean-up legislation to “strike the appropriate balance between consumer protection and not stifling innovation” and acknowledged that the bill’s sponsors are already working with key stakeholders to draft the updated bill.

Who is Required to Comply?

Controllers and Processors

The CPA applies to controllers that conduct business in Colorado or produce/deliver commercial products or services that are intentionally targeted to Colorado residents and meet one of the following thresholds:

1) control or process the personal data of 100,000 or more Colorado residents per calendar year;

     or

2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. § 6-1-1304.

While this definition of controller does not include Colorado government entities, it does encompass nonprofit organizations, making its scope broader than the VCDPA and CPRA in this respect.

Like the European Union’s General Data Protection Regulation (GDPR) and Virginia’s Consumer Data Protection Act (VCDPA), the CPA distinguishes between controllers and processors:

  • A controller is a person that, alone or jointly with others, determines the purposes for and means of processing personal data. § 6-1-1303(7).
  • A processor means a person that processes personal data on behalf of a controller.
    § 6-1-1303(19).

Statutory Exemptions

Through the definition of “consumer” (i.e., “an individual who is a Colorado resident acting only in an individual or household context”) and other provisions, the CPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context. § 6-1-1303(6)(a)-(b);

§ 6-1-1304(2)(k). The CPA, like the VCDPA, does not provide a sunset period for this exemption.

Like the CPRA and VCDPA, the CPA also provides for several exemptions for information that is already regulated under federal law, including HIPPA, GLBA, FRCA, FERPA and more.

What Information is Protected?

Personal Data

The CPA protects “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” § 6-1-1303(17)(a)-(b).

The CPA also protects “Sensitive Data” as a separate category of personal data, which includes: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. § 6-1-1303(24). In contrast to the VCDPA and CPRA, the CPA’s definition of sensitive data does not include precise geolocation data.

Personal data under the CPA does not include:

  • De-identified Data, which is data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual. § 6-1-1303(11).
  • Publicly Available Information, which is information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public. § 6-1-1303(17)(b).

What Obligations Do Controllers Have?

The CPA creates several specific processing duties for controllers, including:

  • Duty of Transparency: Provide a reasonably accessible, clear, and meaningful privacy notice to consumers about the controller’s privacy practices and consumer’s rights. § 6-1-1308(1)(a).
  • Duty of Purpose Specification: Specify express purposes for which personal data are collected and processed. § 6-1-1308(2).
  • Duty of Data Minimization: Limit the collection of personal data what is adequate, relevant, and reasonably necessary in relation to specified purposes. § 6-1-1308(3).
  • Duty to Avoid Secondary Use: Not process personal data for purposes that aren’t reasonably necessary to or compatible with specified purposes unless the controller first obtains consumer consent. § 6-1-1308(4).
  • Duty of Care: Take reasonable measures to secure personal data during storage and use from unauthorized acquisition. § 6-1-1308(5).
  • Duty to Avoid Unlawful Discrimination: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination. § 6-1-1308(6).
  • Duty Regarding Sensitive Data: Not process sensitive data without first obtaining the consumer’s consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian. § 6-1-1308(7).
  • Data Protection Assessments: Conduct and document a data protection assessment for each personal data processing activity that presents a heightened risk of harm to consumers. Data protection assessments must be made available to the Attorney General upon request. These requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive. § 6-1-1309(6). A “heightened risk of harm to a consumer” includes:
  • The processing of personal data for purposes of targeted advertising;
  • The processing of personal data for purposes of profiling if profiling presents reasonably foreseeable risk of 1) unfair or deceptive treatment or disparate impact of consumers, 2) financial or physical injury to consumers, 3) physical or other intrusion on privacy of consumers, or 4) other substantial injury to consumers;
  • The sale of personal data; and
  • The processing of sensitive data. § 6-1-1309(2)(a)-(c).

Avoid Dark Patterns: The CPA follows the trend to legislate against dark patterns, meaning “a user interface designed or manipulated with the substantial effect of subverting or impairing autonomy, decision-making or choice.” § 6-1-1303(9). Using language substantially identical to the CPRA, the CPA specifies that consent is not valid if obtained through “dark patterns.” § 6-1-1303(5)

What Obligations Do Processors Have?

The CPA creates obligations for processors to:

  • Comply and Assist: Abide by the instructions of a controller and assist the controller to meet its obligations by: § 6-1-1305(2).

    • Enacting appropriate technical and organizational measures;
    • Helping in relation to the security of processing personal data and notification of a breach of security of the system; and
    • Providing information necessary for data protection assessments. § 6-1-1305(2)(a)-(c).
  • Ensure Confidentiality: Ensure each person processing personal data is subject to a duty of confidentiality. § 6-1-1305(3)(a).
  • Ensure Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of responsibilities between the controller and processor. § 6-1-1305(4).
  • Subcontractor Contracts: Engage a subcontractor only after providing the controller with an opportunity to object and require through a written contract that the subcontractor will meet the processor’s obligations with respect to personal data. § 6-1-1305(3)(b).
  • Controller Contracts: Processing must be governed by a contract binding on both parties that sets out (1) processing instructions, (2) types of personal data subject to processing and duration of processing, and (3) other requirements imposed by the CPA. § 6-1-1305(5).

What Rights Are Granted to Consumers?

The CPA requires controllers to comply with authenticated request to exercise the following rights:

  • Right of Access: To confirm whether a controller is processing personal data and to access such personal data. § 6-1-1306(1)(b).
  • Right to Data Portability: To obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another entity. A consumer may exercise this right now more than twice per calendar year.

    § 6-1-1306(1)(e).

  • Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into consideration the nature of the personal data and the purposes of the processing of the personal data. § 6-1-1306(1)(c).
  • Right to Opt Out: To opt out of the processing of personal data for purposes of (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 6-1-1306(1)(a)(I). The CPA’s provision of a right to opt out is identical to the VCDPA’s right to opt out.
  • Right to Universal Opt-Out Mechanism: Effective July 1, 2024, controllers that process personal data for the purposes of targeted advertising or sale must allow consumers to exercise the right to opt out through a user-selected universal opt-out mechanism. § 6-1-1306(1)(a)(IV)(B). The Attorney General is directed to adopt rules that clarify the technical specifications for such an opt-out mechanism by July 1, 2023. § 6-1-1313(2).
  • Right to Deletion: To delete personal data concerning the consumer. § 6-1-1306(1)(d).

The CPA obligation to respond to consumer requests aligns with the CCPA  with respect to timing (45 days with option to extent), limited obligation to respond to more than one request in a 12-month period, and the need to authenticate the consumer’s request. The CPA mirrors the VCDPA’s unique approach in adopting a statutory right to appeal. § 6-1-1306(3). The bill requires that controllers establish internal processes for consumers to appeal a refusal to act on a request to exercise any of the rights above. The appeal process must be made readily available and as easy to use as the process for submitting a request. Furthermore, the CPA mandates that controllers inform the consumer of their ability to contact the Attorney General if the consumer has any concerns regarding the result of an appeal.

The consumer rights above do not apply to pseudonymous data if (1) the controller can demonstrate that the information necessary to identify the consumer is kept separately and (2) is subject to effective technical and organizational controls that prevent the controller from accessing such information.
§ 6-1-1307(3).

How is the Law Enforced?

The CPA does not provide for a private right of action. The Colorado Attorney General and District Attorney’s have the exclusive authority to enforce the CPA by injunctive relief and civil penalties.

§ 6-1-1311. The bill provides that violations of the law will be enforceable as per se deceptive trade practices. § 6-1-1311(c). Thus, under Colorado consumer protection law, violations of the CPA can carry penalties of up $20,000 for each violation, where each consumer involved constitutes a separate violation, with a maximum penalty of $500,000 for any related series of violations. § 6-1-112.

The Act also provides a 60-day right to cure provision that sunsets on January 1, 2025. § 6-1-1311(2)(d). This is more in line with the CPRA, which removed the CCPA’s 30-day right to cure ordinary violations of the law, than the VCDPA that provides a 30-day right to cure provision with no sunset provision.

Rulemaking authority. Further, the Attorney General is granted rulemaking authority regarding the issuance of opinion letters and interpretive guidance, which shall include a good faith reliance defense for businesses. These rules must become effective by July 1, 2025. § 6-1-1313(3).

The CPA also preempts “laws, ordinances, resolutions or the equivalent adopted by any statutory or home rule municipality, county, or city regarding the processing of personal data by controllers and processors.” § 6-1-1312.

Conclusion

Colorado is one step away from becoming the third U.S. state to enact comprehensive consumer data privacy legislation, following in the footsteps of California and Virginia. The majority of the CPA will become effective on July 1, 2023, though certain provisions will not go into effect until July 1, 2024. Keep an eye out for additional legislative updates as a number of states wind down their legislative sessions.