Colorado is the third U.S. state to enact comprehensive consumer data privacy legislation with the passage of the Colorado Privacy Act (CPA) on July 7, 2021. The CPA will go into effect July 1, 2023, joining the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) in the steadily growing patchwork of state-enacted consumer data privacy legislation. The CPA’s key provisions are summarized below. However, we can expect the law may undergo further change before the effective date. In the signing statement, Colorado Governor Jared Polis noted the hastily drafted bill will require clean-up legislation to “strike the appropriate balance between consumer protection and not stifling innovation” and acknowledged that the bill’s sponsors are already working with key stakeholders to draft the updated bill.
Controllers and Processors
The CPA applies to controllers that conduct business in Colorado or produce/deliver commercial products or services that are intentionally targeted to Colorado residents and meet one of the following thresholds:
1) control or process the personal data of 100,000 or more Colorado residents per calendar year;
2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. § 6-1-1304.
While this definition of controller does not include Colorado government entities, it does encompass nonprofit organizations, making its scope broader than the VCDPA and CPRA in this respect.
Like the European Union’s General Data Protection Regulation (GDPR) and Virginia’s Consumer Data Protection Act (VCDPA), the CPA distinguishes between controllers and processors:
Through the definition of “consumer” (i.e., “an individual who is a Colorado resident acting only in an individual or household context”) and other provisions, the CPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context. § 6-1-1303(6)(a)-(b);
§ 6-1-1304(2)(k). The CPA, like the VCDPA, does not provide a sunset period for this exemption.
Like the CPRA and VCDPA, the CPA also provides for several exemptions for information that is already regulated under federal law, including HIPPA, GLBA, FRCA, FERPA and more.
The CPA protects “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” § 6-1-1303(17)(a)-(b).
The CPA also protects “Sensitive Data” as a separate category of personal data, which includes: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. § 6-1-1303(24). In contrast to the VCDPA and CPRA, the CPA’s definition of sensitive data does not include precise geolocation data.
Personal data under the CPA does not include:
The CPA creates several specific processing duties for controllers, including:
Avoid Dark Patterns: The CPA follows the trend to legislate against dark patterns, meaning “a user interface designed or manipulated with the substantial effect of subverting or impairing autonomy, decision-making or choice.” § 6-1-1303(9). Using language substantially identical to the CPRA, the CPA specifies that consent is not valid if obtained through “dark patterns.” § 6-1-1303(5)
The CPA creates obligations for processors to:
Comply and Assist: Abide by the instructions of a controller and assist the controller to meet its obligations by: § 6-1-1305(2).
The CPA requires controllers to comply with authenticated request to exercise the following rights:
The CPA obligation to respond to consumer requests aligns with the CCPA with respect to timing (45 days with option to extent), limited obligation to respond to more than one request in a 12-month period, and the need to authenticate the consumer’s request. The CPA mirrors the VCDPA’s unique approach in adopting a statutory right to appeal. § 6-1-1306(3). The bill requires that controllers establish internal processes for consumers to appeal a refusal to act on a request to exercise any of the rights above. The appeal process must be made readily available and as easy to use as the process for submitting a request. Furthermore, the CPA mandates that controllers inform the consumer of their ability to contact the Attorney General if the consumer has any concerns regarding the result of an appeal.
The consumer rights above do not apply to pseudonymous data if (1) the controller can demonstrate that the information necessary to identify the consumer is kept separately and (2) is subject to effective technical and organizational controls that prevent the controller from accessing such information.
The CPA does not provide for a private right of action. The Colorado Attorney General and District Attorney’s have the exclusive authority to enforce the CPA by injunctive relief and civil penalties.
§ 6-1-1311. The bill provides that violations of the law will be enforceable as per se deceptive trade practices. § 6-1-1311(c). Thus, under Colorado consumer protection law, violations of the CPA can carry penalties of up $20,000 for each violation, where each consumer involved constitutes a separate violation, with a maximum penalty of $500,000 for any related series of violations. § 6-1-112.
The Act also provides a 60-day right to cure provision that sunsets on January 1, 2025. § 6-1-1311(2)(d). This is more in line with the CPRA, which removed the CCPA’s 30-day right to cure ordinary violations of the law, than the VCDPA that provides a 30-day right to cure provision with no sunset provision.
Rulemaking authority. Further, the Attorney General is granted rulemaking authority regarding the issuance of opinion letters and interpretive guidance, which shall include a good faith reliance defense for businesses. These rules must become effective by July 1, 2025. § 6-1-1313(3).
The CPA also preempts “laws, ordinances, resolutions or the equivalent adopted by any statutory or home rule municipality, county, or city regarding the processing of personal data by controllers and processors.” § 6-1-1312.
Colorado is one step away from becoming the third U.S. state to enact comprehensive consumer data privacy legislation, following in the footsteps of California and Virginia. The majority of the CPA will become effective on July 1, 2023, though certain provisions will not go into effect until July 1, 2024. Keep an eye out for additional legislative updates as a number of states wind down their legislative sessions.