Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia. Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.
Similar to the California and Virginia laws, the CPA affords Colorado “consumers” certain privacy rights and imposes duties on the “controllers” and “processors” of those consumers’ personal data. While the CPA generally follows the model set by the Virginia law, it contains important differences that will put Colorado at the forefront of consumer privacy.
Thresholds to Applicability
The CPA defines consumer to mean an individual who is a Colorado resident acting in an individual or household context, and does not include an individual acting in a commercial or employment context. The definition of consumer therefore has a built in exclusion for the employment and business-to-business contexts.
The CPA only applies to controllers—defined to mean any person that, alone or jointly with others, determines the purposes for and means of processing personal data—that conduct business in Colorado and meet at least one of two thresholds: (1) controlling or processing the personal data of 100,000 or more consumers during a calendar year; and/or (2) deriving revenue from the sale of personal data and processing or controlling the personal data of 25,000 or more consumers. Personal data processed by a “processor” on behalf of a controller counts towards those thresholds.
The CPA contains several substantive exclusions to applicability. For example, unlike the California model’s limited exclusion, the CPA contains a full exclusion for financial institutions subject to the federal Gramm-Leach-Bliley Act. The CPA also does not apply to certain types of health and patient information governed by HIPAA.
Consumer Rights Under the CPA
The law grants Colorado consumers specific rights over the way their personal data is processed by controllers. Personal data means “information that is linked or reasonably linkable to an identified or identifiable individual.” Publicly available or otherwise de-identified information, along with employment records, is not included within this definition.
The rights afforded to consumers include: (1) the right to opt out of certain processing of personal data; (2) the right to access personal data; (3) the right to correct inaccurate personal data; (4) the right to delete personal data; and (5) the right to data portability.
Consumers can exercise these rights by submitting formal requests, and controllers must act on the request within 45 days.
Duties of Controllers and Processors
The duties of controllers include: (1) the duty of transparency; (2) the duty of purpose specification; (3) the duty of data minimization; (4) the duty to avoid secondary use; (5) the duty of care; (6) the duty to avoid unlawful discrimination; and (7) duties regarding “sensitive” data.
With respect to the duty of transparency, controllers will need to ensure that their privacy policies clearly and meaningfully disclose specific types of practices, as well as the manner in which consumers may exercise their rights. The CPA does not require a “Do Not Sell My Information” page like the California law, but the Colorado Attorney General will be promulgating rules that detail the technical specifications for one or more universal opt-out mechanisms.
With respect to sensitive data, controllers must obtain consent to collect personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child. In the case of a child below thirteen years old, consent should be given by the child’s parent or legal guardian.
Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA. Processors must also enter into a contract with the controller setting out various criteria relating to what personal data will be processed, how the data will be processed and retained, and audit/compliance rights.
Data Security and Data Protection Assessments
Both controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk. For many companies, this type of data security requirement already exists for personally identifiable information under Colorado’s data security law. However, personal data under the CPA is significantly broader than personally identifiable information under Colorado’s data security law.
The CPA also has the new requirement of performing “data protection assessments” for controllers whose processing presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm is defined to include processing for the purpose of targeted advertising and profiling, selling personal data, and processing sensitive data. When performing the data protection assessment, controllers will have to weigh the benefits against the risks to the rights of the consumer, as well as potential safeguards that may mitigate those risks. Controllers must make the data protection assessments available to the attorney general upon request.
Rulemaking and Enforcement
Unlike the Virginia law, the attorney general has the authority to promulgate rules for the purpose of carrying out the CPA. Whereas the authority to promulgate rules generally implies discretion, the attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023. The attorney general also has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA, which must be done by January 1, 2025 if at all.
The CPA expressly provides that it does not create a private right of action for a violation of the CPA. Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties set forth in C.R.S. § 6-1-112. Under that statute, penalties can be up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.
* * *
Colorado’s entry into the privacy law world will require significant changes for many businesses. The attorney general’s rules will provide more guidance, but businesses should, at the very least, begin ensuring that they have a full grasp of their data collection, usage, and documented policies so that they can prepare to meet their compliance obligations.