The Colorado Privacy Act (“CPA”) was enacted in July of 2021, following a trail blazed by California and Virginia that enacted the first two comprehensive personal data privacy laws in the United States. The CPA takes effect July 1, 2023 and the full text of the CPA is available here.
Who Does the Colorado Privacy Act Apply to?
The CPA applies to businesses that target products or services to Colorado residents and that either:
- Control or process the personal data of at least 100,000 Colorado consumers in a calendar year; or
- Control or process the personal data of at least 25,000 Colorado consumers while deriving any revenue from selling personal data
The CPA applies to non-profit business entities, but does not apply to governmental entities, including schools.
Key CPA Privacy Act Definitions
Much of the CPA’s terminology is borrowed from the GDPR including:
- “Consumer,” which refers to Colorado residents and, unlike the CCPA, the CPA excludes employees and job applicants.
- “Controller,” which refers to any person that, alone or with others, determines the purposes and means of processing personal data.
- “Personal data,” which refers to any information that is linked or is reasonably linkable to an identified or identifiable individual. This is similar to the GDPR and unlike California’s CCPA, the CPA’s definition pertains only to individuals and excludes “households.” Personal data also excludes any data that is de-identified or publicly available (i.e. from government records or which the controller reasonably believes the consumer has made available to the general public).
- “Processor,” which refers to any person that processes personal data on behalf of a controller.
- “Sale of personal information,” which refers to a controller’s exchange of personal data for money or other valuable consideration with a third party but excluding disclosures: (1) to a processor; (2) to a third party for purposes of providing a product or service requested by the consumer; (3) to an affiliate of the controller; (4) as part of a merger, acquisition, bankruptcy, or other transaction impacting all or part of the controller’s assets; (5) as directed by the consumer, including via an intentional interaction with a third party; intentionally published by the consumer to the general public via mass media.
- “Sensitive data,” which refers to: (1) data revealing racial or ethnic origin, religious belief, mental or physical health, sex life, sexual orientation or citizenship; (2) genetic or biometric data used to uniquely identify an individual and (3) data concerning a known child under the age of 13.
Prior to engaging a processor, a controller must enter into a contract with the processor imposing on the processor the obligations described below, and importantly, such contracts may not relieve either the controller or a processor from liability for breach of the CPA.
Obligations Imposed on Colorado CPA Processors
The CPA generally imposes fewer obligations on processors than controllers, among the most important including that processors must:
Follow the instructions of their controllers and assist them in their CPA obligations.
- Taking appropriate technical and organizational measures to assist controllers with responding to consumer data privacy requests
- Notifying controllers of any security beaches;
- Ensuring each person processing the personal data is subject to a duty of confidentiality;
- Providing controllers notice and an opportunity to object before engaging any; and subcontractor and imposing CPA processor requirements on any subcontractor.
Obligations Imposed on Colorado CPA Controllers
The CPA imposes a number of GPDR- and CCPA-like duties on controllers:
- Duty of transparency—a reasonably accessible, clear, and meaningful privacy notice including:
- The categories of personal data collected or processed by the controller or its processors;
- The purposes for the data processing—if data is processed or sold for targeted advertising, the controller must disclose this conspicuously and provide an opt-out mechanism;
- How consumers can exercise their rights and appeal any controller decision;
- The categories of personal information shared with third parties;
- The categories of third parties with which any data is shared.
- Duty of purpose specification—specifying the express purposes for which personal data is collected and processed (this appears to be subsumed by the duty of transparency).
- Duty of data minimization—date collection must be adequate, relevant, and reasonably necessary for the identified processing purposes. Interestingly, the inclusion of “adequate” suggests controllers may need to collect a minimum amount of data to ensure they can accomplish their purpose, which is at odds with the very concept of “minimization.”
- Duty to avoid secondary use—processing may only include purposes reasonably necessary to or compatible with the purposes specified at the time of data collection. This can be overcome with consent from the consumer obtained after the time of collection. Essentially, the CPA becomes an opt-in rather than an opt-out statue for any new or unanticipated purposes.
- Duty of care— controllers must take reasonable measures to secure personal data during storage and use that are appropriate to the volume, scope, and nature of the personal data processed.
- Duty to avoid unlawful discrimination—controller must not process personal data in violation of state or federal anti-discrimination laws. This means that controllers may face liability both under the primary anti-discrimination law and the CPA for the same discriminatory conduct.
- Duty regarding sensitive data—to process sensitive data, controllers must obtain opt-in consent, which consent must come from a parent in the case of children’s data. (All data concerning a child under 13 is considered sensitive.) Any consent required under CPA must be freely given, specific, informed, and unambiguous.
- Data protection assessments—controllers must undertake a data protection assessment prior to any processing that presents a heightened risk of harm to a consumer. Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, including accounting for any safeguards that the controller employs to reduce risk.
The CPA includes several examples of when a data protection assessment is needed, including (1) selling personal data, (2) processing sensitive data and (3) targeting or profiling consumers where there is a foreseeable risk of: unfair or deceptive treatment or unlawful disparate impact on consumers; financial or physical injury; a physical or other intrusion upon the solitude or seclusion, or private affairs if offensive to a reasonable person; or other substantial injury
Consumer Privacy Rights Under CPA
In addition to the duties imposed on controllers explained above, controllers are also responsible for ensuring that consumers can exercise their CPA privacy rights:
- Right of access—to confirm if a controller is processing personal data and to “access it” (note: it is unclear how the access right is different from the right to portability described below).
- Right to correction—to correct inaccuracies in the consumer’s own personal data.
- Right to delete—to delete personal data concerning the consumer. Given there are no statutory exceptions to this right, it can be anticipated exceptions e.g., for compliance with laws and to prevent fraud will be the subject of regulations.
- Right to data portability—to obtain a copy of their personal data, where feasible in a readily usable format enabling transfer to another entity. A consumer may exercise this right no more than twice per calendar year.
- Right to opt out— to opt out of processing their personal data for: (1) targeted advertising; (2) sale of personal data; or (3) profiling resulting in decisions of legal or similarly significant effects on the consumer. Beginning July 1, 2024, controllers must provide consumers with a universal opt-out mechanism for opting out of targeted advertising and data sales. The attorney general will issue regulations about this. It is unclear if the universal opt out mechanism will require businesses to respect “Do Not Track” browser signals or another similar mechanism. However the CPA provides that an affirmative consent or opt in will override any background choices reflected through the universal opt-out mechanism, so arguably the universal opt out will be nullified by a checkbox consenting to website terms of service.
- Right to appeal—to appeal any inaction by a controller in implementing the consumer’s privacy choices. The appeal process must be easy and conspicuous and for a denied appeal the controller must inform the consumer about their right to contact the attorney general about the result of the appeal.
As with the CCPA, under CPA controllers must fulfill privacy requests within 45 days of receipt, they may extend this deadline to 90 days when reasonably necessary by notify the consumers of the extension during the initial 45-day deadline. Also missing from the statute and expected to be included in AG regulations are requirements for verifying privacy requests before fulfilling them.
How CCPA Toll Free Helps Business Comply with CPA
CCPA Toll Free helps businesses comply with the CPA with cost-effective, easy-to-deploy and automated workflow tools. Our enterprise-ready features include:
- An interactive privacy request manager to provide your consumers
- A toll-free number provisioned instantly to accept privacy requests too
- Tools to authenticate privacy requests, and track and demonstrate compliance
- A robust security framework with encryption in transit and at rest, two-factor authentication, SSO and API integrations
CCPA Toll Free offers a free trial with no payment method required. Click Start Free Trial above to learn more about how we can assist with your CPA privacy compliance.
CPA Enforcement and Conclusion
The CPA is subject to enforcement not only by the Colorado attorney general but also by any district attorney. From the July 2023 effective date of the CPA until January 1, 2025, before commencing an enforcement action, the AG or DA must notice to the controller of any CPA violation and provide it with a 60-days cure period.
There are no fines specified within the CPA, and because a violation of the CPA is deemed a deceptive trade practice under Colorado’s Consumer Protection Act, it follows that a business can be fined up to $20,000 per CPA violation.
There is plenty of time between now and mid-2023 to prepare for CPA compliance. The good news is that businesses that have adopted GDPR and CCPA compliance programs will be very well positioned to comply with the Colorado law. Essentially, providing all GDPR + CCPA rights to Colorado residents will result in substantial compliance with CPA. Even if this approach affords Colorado residents a few additional rights, it is the path that many businesses are likely to take.