Comprehensive Guide tothe Colorado Privacy Act

Colorado is the third state to pass comprehensive data privacy legislation, after Virginia passed the Virginia Consumer Data Protection Act (VCDPA) and California also passed a new data privacy law by ballot initiative, the California Privacy Rights Act (CPRA), which will expand the scope of protections previously afforded to California residents by the California Consumer Privacy Act (CCPA) of 2018. It borrows various elements from the European Union's General Data Protection Regulation (GDPR), CPRA, CCPA, and VCDPA.

What is the CPA?

The Colorado Privacy Act (CPA) is a state law that gives consumers the right to know what personal information is being collected about them, why it is being collected, and how it will be used. CPA also gives consumers the right to control how their personal information is used and to delete their personal information.

Consumers are defined in the CPA to include Colorado residents acting in their individual or household contexts. The CPA excludes individuals acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in an employment context from its consumer definition.

The CPA’s broad personal data definition includes any information linked or reasonably linkable to an identified or identifiable individual or natural person. Still, it excludes de-identified data or publicly available information as narrowly defined in the law.

The law defines sensitive data to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal data of a known child.

Who does the CPA apply to?

The CPA applies to individuals and organizations (controllers) conducting business in Colorado or producing or delivering commercial products or services intentionally targeted to Colorado residents that, during a calendar year, either control the processing of personal data of:

• 100,000 consumers or more during a year,
• 25,000 consumers or more, and derive revenue from sale of personal data (including by receiving a discount on the price of goods or services).

There is no applicable revenue threshold.

The CPA does not apply to certain processing activities or entities, including:

• Data collection, processing, sale, or disclosure activity regulated by certain laws, including:
  - the Children's Online Privacy Protection Act of 1998;
  - the Family Educational Rights and Privacy Act of 1974;
  - the Gramm-Leach-Bliley Act (GLBA);
  - the Health Insurance Portability and Accountability Act (HIPAA); and
  - the Fair Credit Reporting Act (FCRA).
• Higher education institutions.
  

What are the consumer rights under the CPA?

The CPA grants consumers, or the parents or guardians of children under 13, the right to:

• Opt out of processing their personal data, or authorize another person to opt-out on their behalf, for:
  - targeted advertising;
  - personal data sales; or
  - profiling, which has legal or other significant effects on the consumer, as defined by the CPA.
• Know whether a controller processes their personal data.
• Access, correct, and delete their personal data.
• Obtain a copy of their personal data in a commonly used and machine-readable format, known in other jurisdictions as the right to data portability, up to two times per year.
  

How can businesses comply with the CPA?

To comply with the CPA, businesses must provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a heightened risk of harm to consumers. The CPA does not offer much guidance regarding what may or may not qualify as a heightened risk of harm. Still, the Colorado Attorney General could promulgate clarifying rules before the CPA goes into effect.

Businesses covered by the new data privacy law should:

• Ensure that they are implementing cybersecurity safeguards;
• Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision— controllers will generally have 45 days to respond to consumer requests;
• Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data;
• Establish the technical specifications of a user-selected universal opt-out mechanism by July 1, 2024;
• Update their Privacy Policy to explain their collection and use of data;
• Update their contracts with third parties to ensure that they comply with the laws;
• Obtain consumers’ informed consent before collecting sensitive data; and
• Establish a procedure to determine when to conduct a data protection assessment.

The CPA further requires data controllers to:

• Only process consumers’ sensitive data with their consent.
• Specify the express purposes of the processing (purpose specification).
• Limit personal data collection to adequate, relevant, and reasonably necessary for the processing’s purpose (data minimization).
• Only process personal data for reasonably necessary or compatible purposes disclosed to the consumer unless the controller obtains the consumer’s consent (avoiding secondary use).
• Implement and maintain reasonable administrative, technical, and physical data security practices to safeguard personal data.
• Refrain from increasing the cost or decreasing the availability of its product or service based solely on the exercise of a CPA right.
• Only process data in compliance with federal and state discrimination laws.
• When required, conduct data protection impact assessments, including specific factors, and make assessments available to the Attorney General on request.
• Execute a binding data processing agreement with any data processor that includes specific terms the law requires and allocates the responsibilities of each party.
• Provide consumers with a reasonably accessible, clear, and meaningful privacy notice stating:
  - the categories of personal data the controller processes;
  - the processing purpose;
  - how consumers may exercise their rights and appeal adverse controller decisions; and
  - the categories of personal data shared and the categories of third parties with whom data is shared.
• Allow consumers to exercise their right to opt-out of collection and processing for sales purposes or targeted advertising by providing clear and conspicuous notice of this right within the privacy notice and in another readily accessible location.
• Provide clear and conspicuous notice to consumers if controllers choose to request consumers’ consent to collect or process their data for targeted advertising, sale, or profiling, which includes:
  - their right to withdraw consent;
  - how they can withdraw their consent;
  - the categories of data collected or processed; and
  - a method to revoke the consent that is as easy as the method used to provide it.

The CPA also imposes limited obligations on processors, who store and process data on the controller’s behalf.

It should also be noted that the CPA provides exemptions for certain businesses already regulated under other federal laws.

Enforcement of the CPA

Like the Virginia law, the CPA does not create a private right of action for violations and authorizes the Colorado Attorney General and district attorneys to enforce compliance with its requirements. The Attorney General’s office and district attorney's offices will have exclusive authority to enforce the CPA. The CPA also does not set a fine amount per violation. Still, infringement of the law may constitute a deceptive trade practice under the Colorado Consumer Protection Act, which imposes a $20,000 fine per violation.

Initially, the CPA will require the Attorney General or district attorneys to issue a notice of violation and allow entities 60 days as the cure period for the alleged violation – i.e., a right to cure. The right to cure will sunset on January 1, 2025. In place of a right to cure, controllers can request opinion letters and interpretative guidance from the Attorney General’s office.

Final thoughts

Although businesses have a long time to implement the CPA’s requirements before its July 1, 2023 effective date, they should start proactively evaluating the law’s potential impact on their privacy compliance programs now.