The Centennial State is a year-round haven for outdoor enthusiasts, widely known for its spectacular national parks, extensive hiking trails, gorgeous snow-capped mountains, and pristine rivers, lakes, and waterfalls. However, starting July 1, 2023, Colorado will make its mark for something completely different: The Colorado Privacy Act (CPA).
The Colorado Privacy Act, a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), was officially passed by the Colorado State Senate on June 8, 2021. Expanding consumer data protections in the United States, Colorado is now the third state with an extensive privacy legislation, following in the footsteps of California and Virginia. One month after its passing, the CPA was signed into law by Colorado Governor Jared Polis on July 7, 2021. The CPA will take effect on July 1, 2023 – just six months after both the CPRA and Virginia's Consumer Data Protection Act (CDPA) would take effect.
Let's take a closer look at the Colorado Privacy Act below:
Overview of the Colorado Privacy Act (CPA)
Introduced by Senators Rodriguez and Lundeen on March 19, 2021, the Colorado Privacy Act will provide additional protections for the personal data of Colorado residents, whether inside or outside the state. Officially titled "An Act Concerning Additional Protection of Data Relating to Personal Privacy," the CPA is modeled after Virginia's recently approved CDPA and the unsuccessful Washington Privacy Act – although this law has its differences.
The CPA's legislative passage is also significant - especially following the failures of both Washington and Florida. It was passed within a three-month period, making it one of the fastest laws to be passed in the United States. The CPA was unanimously approved by the Colorado Senate on May 26, 2021, just two months after making its first appearance. Less than two weeks later, the House passed an amended version of the CPA before the Senate again unanimously voted 34-0 on the final passage the next day on June 8, 2021.
Key Provisions of the Colorado Privacy Act
Building upon the components of numerous other laws and regulations, the CPA also includes several elements that are unique to the Colorful State. For instance, it is the first regulation in the U.S. to apply to both non-profit and commercial entities and the first to be enforced by both the District Attorney and the Attorney General's office.
Here’s a breakdown of the CPA and how its requirements compare to the CCPA, CPRA, CDPA:
Like the data privacy regulations before it, the CPA aims to protect the personal data (any information that is linked or an identified or identifiable individual) of Colorado consumers. These protections would not cover de-identified data or publicly available information, though. Under the CPA, a consumer is defined as "an individual who is a Colorado resident acting only in an individual or household context" and would exclude those acting in a commercial or employment capacity, similar to the CDPA.
The CPA defines a controller as " a person that, alone or jointly with others, determines the purposes and means of processing personal data." The CPA only applies to controllers that conduct business in Colorado or those that intentionally target their products or services to Colorado residents that also meet one of the following criteria:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The scope of the CPA is similar to the CDPA, albeit broader, since the CDPA also includes the requisite that businesses that derive over 50% of their gross revenue from the sale of personal data must also comply. The CCPA and CPRA both include a third threshold for businesses that have annual revenues of $25 million for the preceding year.
As with the other privacy laws, the CPA specifies several individual rights for consumers to better protect their personal data.
Right to Access.
A consumer has the right to confirm whether a controller is processing their personal data and the right to access such personal data.
Right to Correct.
Consumers can request that inaccuracies in their personal data be corrected. However, businesses can take into account the nature of their personal data and the purposes of the processing of the consumer's personal data.
Similar language is found in the CPDA.
Right to Delete.
A consumer has the right to delete the personal data that the controller has collected on them.
Compared to the language of the CCPA and CPRA ("which the business has collected from the consumer") and the CDPA ("provided by or obtained about the consumer"), this deletion right is broader than the others.
Right of Data Portability.
Consumers have the right to obtain their personal data from a controller in a portable and readily usable format that allows them to transmit the data to another entity without interference. Consumers can only exercise this right twice per calendar year.
Consumers can submit these consumer requests to controllers, who will have 45 days to act on these requests. These can be extended to 90 days when reasonably necessary. Controllers must also provide requested data free of charge but can charge for the second or any subsequent request within a twelve-month period. Furthermore, since a controller is not required to comply with consumer requests if they are unable to authenticate the request, they must establish an internal process where consumers can appeal the request refusal. The appeal process must be clearly visible and easy to use.
Right to Opt Out.
Consumers have the right to opt out of the processing of their personal data for the following purposes:
- Targeted advertising
- The sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer
Consumers also have the right to authorize another person to opt out on their behalf, all of which is identical to the CDPA's opt-out right.
Beginning on July 1, 2024 (one year after the CPA's effective date), controllers that process personal data for targeted advertising or to sell the personal data of consumers must provide consumers with the ability to opt out through a "user-selected universal opt-out mechanism." The technical specifications will be established by the Attorney General, but ultimately, consumers should be able to opt out of all activities subject to this right by clicking one button.
Regulation of Sensitive Data
Like the CCPA, CPRA, and CDPA, the CPA has special protections for sensitive data, which covers categories such as:
- Racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship, or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data from a known child
With the CPA, sensitive data cannot be processed without obtaining consumer consent, or without obtaining consent from a parent of lawful guardian in the case of a known child. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous consent and cannot be obtained using broad terms or through "dark patterns." This opt-in consent method for the processing of sensitive personal data follows the CDPA closely, but contrasts with the CCPA's opt-out approach and the CPRA's "Limit the Use of My Sensitive Personal Information" opt-out button.
Processing Obligations for Controllers
Similar to the CDPA, the CPA creates specific processing responsibilities for controllers, which include:
- A Duty of Transparency: To provide a “reasonably accessible, clear, and meaningful privacy notice” that covers information such as what data is being collected, for what purpose, who it is being shared with, and how to exercise consumer rights.
- A Duty of Purpose Specification: To collect and process data for the specific purpose, and not in a manner incompatible with what was originally specified.
- A Duty of Data Minimization: To collect only what is reasonably necessary, adequate, and limited to what is necessary for the specific purpose.
- A Duty to Avoid Secondary Use: To avoid secondary uses that are not reasonably necessary to or compatible with the purposes for which the data is processed.
- A Duty of Care: To employ reasonable security measures to protect personal data against unauthorized acquisition during both storage and use.
- A Duty to Avoid Unlawful Discrimination: To not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.
- A Duty to Process Sensitive Data Only with Consumer Consent: To not process personal data unless the controller obtains the consumer’s consent.
Controllers are required to implement appropriate technical safeguards and those that collect data that presents a heightened risk to consumers must conduct a data protection assessment (DPA). A DPA is required for targeted advertising or profiling, the sale of personal data, and the processing of sensitive data, which is the same for the CDPA. These DPAs must be made available to the Attorney General upon request.
Contracting Obligations for Processors
Under the CPA, processors process personal data on behalf of a controller and have direct obligations to assist controllers with their compliance efforts, same as the CCPA, CPRA, and CDPA. The relationship between processor and controller is governed by a contract that determines the nature and purpose of the processing and comprises of various responsibilities. These duties can include responding to consumers' requests to exercise their rights, aiding in breach notifications, and conducting DPAs. A processor must also delete or return all personal data to the controller at the end of the contract and cooperate with audits by the controller to verify compliance with the law.
The CPA contains numerous exemptions for entities and types of personal data regulated by certain federal laws, including protected health information under HIPAA; financial institutions and their affiliates, along with the personal data collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA); and personal data regulated by the Driver's Privacy Protection Act (DPPA), the Children's Online Privacy Protection Act (COPPA), and the Family Educational Rights Act and Privacy Act (FERPA).
In addition, data maintained for employment records purposes like job applications are also exempt. De-identified data, or data no longer linked to a specific consumer, and publicly available data in government records, such as property tax and home ownership records are also exempt.
Unlike the CCPA, the CPA does not have any right of action allowing individual consumers to sue for violations. Instead, enforcement would be through the Colorado Attorney General and the District Attorneys. Similar to the three other data privacy laws, the CPA provides a cure period before taking enforcement action. From July 1, 2023, to January 1, 2025, controllers will have 60 days to rectify any alleged violations, establishing the longest right to cure yet (CCPA and CDPA each require 30 days). This provision is set to sunset on January 1, 2025, at which point there will be no cure period, same as the CPRA.
The CPA does not yet identify specific penalty amounts, but states that violations of the law will be enforced as deceptive trade practices.
There is no one, all-encompassing federal law that governs data privacy in the United States. Instead, individual states have been proposing legislation to protect consumers' personal data. Despite the push towards privacy legislation from various states in recent years, Colorado is only the third state to have its data privacy law passed. Regardless, it builds the momentum for others states across the country to enhance their data privacy measures and expand data protection for U.S. consumers.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.