Colorado Privacy Act: A Detailed Overview

On July 8, 2021, Governor Jared Polis made a significant move in the realm of data privacy by signing the Colorado Privacy Act (CPA) into law. With its effective date set for July 1, 2023, Colorado became the third state in the U.S., following California and Virginia, to enact comprehensive data privacy legislation. The CPA draws inspiration from the European Union’s General Data Protection Regulation (GDPR) and more prominently from the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA).

Applicability of the CPA

The Colorado Privacy Act targets companies that engage in business within Colorado or aim their services at Colorado residents. However, not all companies are subject to the CPA; it reaches only those that meet specific thresholds:

1. Data Control: Companies that control or process the personal data of 100,000 or more consumers in a calendar year.

2. Revenue Derived from Data Sales: Those that derive revenue from selling personal data and control or process data belonging to at least 25,000 consumers.

Unlike the CCPA, which includes a revenue threshold of $25 million, the CPA does not impose any revenue limit. Furthermore, the CPA’s consumer count threshold is double that of the CCPA.

Exemptions Under CPA

Certain groups are exempt from CPA provisions. For example, the law does not apply to individuals acting in a commercial or employment context, and job applicants are also excluded. While the CPA mirrors the CCPA’s exclusion of protected health information and certain federally regulated data, it notably lacks an exemption for nonprofit organizations that the CCPA and VCDPA provide.

Terminology Differences

In line with GDPR terminology, the CPA uses terms that differ slightly from those in the CCPA. For instance, “controller” is used instead of “business,” and “processor” replaces “service provider.” The definition of a “sale” in the CPA aligns closely with that of the CCPA, covering any exchange for monetary or other valuable consideration, whereas the VCDPA’s definition of a sale is more restrictive.

Consumer Rights

One of the most notable aspects of the CPA is the array of rights it grants consumers.

1. Right to Opt-Out: Consumers can opt out of processing their data for targeted advertising, data sales, and profiling that significantly affects them.

2. Right of Access: Consumers have the right to confirm whether their personal data is being processed and to access it.

3. Right to Correction: This allows consumers to correct inaccuracies in their personal data.

4. Right to Deletion: Consumers can request the deletion of their personal data.

5. Right to Data Portability: Up to twice a year, consumers can obtain their personal data in a portable format.

These rights largely align with those found in the VCDPA, although the CPA’s opt-out provisions are broader in scope.

Fulfilling Consumer Requests

Companies governed by the CPA have 45 days to address consumer requests, with a potential extension of an additional 45 days if needed. This deadline aligns well with the timeframes stipulated by both the CCPA and VCDPA.

Privacy Notice Required Disclosures

The CPA mandates that companies provide consumers with a clear and easily accessible privacy notice, which includes:

• Categories of personal data collected or processed.
• The purposes for such processing.
• Information on how consumers can exercise their rights.
• Categories of personal data shared with third parties.

Additionally, companies must disclose if they are selling personal data or processing it for targeted advertising.

Other Processing Obligations

The CPA requires companies to adhere to several significant obligations, including:

• Transparency: Maintaining clarity about data practices.
• Purpose Specification: Clearly outlining the reasons for data processing.
• Data Minimization: Limiting data collection to what is necessary.
• Avoiding Secondary Use: Not using personal data for unrelated purposes.
• Duty of Care: Ensuring data security.
• Avoiding Unlawful Discrimination: Upholding non-discriminatory standards.
• Processing Sensitive Data: Only with consumer consent.

Notably, the CPA uses a heightened consent standard, ensuring that consent must be clear, informed, and unambiguous.

Data Protection Assessments

The CPA obligates companies to conduct data protection assessments when processing personal data that may pose a significant risk to consumers, especially in sensitive cases. These assessments must be available to the Attorney General upon request.

Engaging Processors

In engaging processors, the CPA establishes requirements similar to those in the VCDPA and the amended CCPA.

• Processors must follow controller instructions and assist them in complying with CPA obligations.
• Contracts between controllers and processors must be in writing and clearly outline processing instructions, the nature of data, and obligations regarding data return or deletion.

If anonymized data is provided to processors, they must ensure it cannot be linked back to individuals.

Enforcement

The CPA does not grant individuals the right to take private legal action but rather places enforcement in the hands of the Attorney General and District Attorneys. A violation is considered a deceptive trade practice under the Colorado Consumer Protection Act. There exists a 60-day cure period during which businesses can rectify violations before enforcement actions are initiated, a provision in place until January 1, 2025.

The Colorado Privacy Act represents a significant step forward in consumer data protection within the U.S., marking a growing trend towards more stringent data privacy regulations. By aligning itself with existing frameworks while introducing unique components, the CPA aims to bolster consumer rights and ensure responsible data handling practices across industries.