On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, making Colorado the third state to enact comprehensive privacy legislation, following in the footsteps of California and Virginia. However, on the same day, Governor Polis issued a statement directed towards the Colorado General Assembly, describing that in the “haste to pass this bill,” a number of issues remain outstanding, and that clean up legislation will be required in the upcoming legislative year in Colorado. In the statement, Governor Polis urged that this clean up legislation “strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.” In addition, the Colorado Attorney General may adopt rules before January 1, 2025 that may further change the law or how it will be enforced. Thus, the law is likely subject to significant changes both before and after it goes into effect on July 1, 2023, leaving organizations who are subject to the law with the dilemma of either beginning to work towards compliance now, or wait until amendments have been passed and potentially scrambling to comply ahead of the effective date.
While the law as currently enacted shares many similarities with the European Union’s General Data Protection Regulation (the “GDPR”) and is similar to the comprehensive privacy laws passed in California and Virginia, there are some significant differences. Therefore, compliance with the GDPR or the privacy laws in California or Virginia is not necessarily sufficient to be compliant under the current version of the CPA.
|THE CPA: WHAT YOU NEED TO KNOW
• The CPA applies to businesses that intentionally target Colorado consumers and that collect and store data on at least 100K consumers or earn revenue from selling data of at least 25K consumers. Notably absent is any revenue threshold.
|WHAT TO DO TO PREPARE
Because the law is subject to change, organizations should prioritize the following activities based on resources needed and potential reusability under other privacy regimes or other benefits to the company:
• Conduct a data mapping exercise.
• Perform a privacy impact assessment.
• If the company engages in high-risk processing, retain a cybersecurity audit firm.
• Update policies and procedures for compliance with the new law.
• Review and revise or adopt policies to comply with consumer rights.
• Review and amend privacy notices as necessary.
• Review and revise or adopt compliant data processing addenda.
CPA Applicability and Exemptions
The CPA as currently enacted applies to any business (a “controller”) that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and meets one or both of the following thresholds:
- The controller processes or controls personal data of at least 100,000 Colorado consumers per year. While this is higher than the threshold in California under the CCPA, it is the same threshold as found in California’s new CPRA and the Virginia CDPA.
- The controller processes or controls personal data of at least 25,000 Colorado consumers per year and derives revenue or receives a discount on the price of goods or services from the sale of personal data. Unlike the CCPA and the Virginia CDPA, the CPA does not have a percentage threshold, and any revenue or discount received from the sale of personal data may be sufficient, even if it is minimalistic. If this threshold survives any amendments, the applicability of this threshold is likely to be a hot topic of litigation once the law becomes effective.
Unlike the California CPRA, but like the Virginia CDPA, the current CPA also does not have any form of a revenue threshold, thus preventing businesses with high revenue streams but relatively minimal processing of personal data from being ensnared in the CPA’s scope solely because of their revenues.
The current CPA only applies to information about consumers, which are defined as Colorado residents acting only in an individual or household context. It does not apply to information about individuals acting in a commercial or employment context (including as a job applicant, or as a beneficiary of another individual acting in the employment context). In contrast, both employment and business-to-business information will be subject to California’s CPRA once the temporary exclusions for these types of data expire on January 1, 2023, unless the temporary exclusions are extended or another law is passed to cover this information.
The law applies to a controller’s processing of “personal data,” which the law defines as “information that is linked or reasonably linkable to an identified or an identifiable individual.” However, the definition explicitly excludes de-identified information or publicly available information. “Publicly available information” is a bit broader of an exclusion than found in laws like the CPRA, and includes not only information lawfully made available from government records, but also information that the controller has a reasonable basis to believe that the consumer has lawfully made available to the general public. This likely includes information posted on social media, however it is unclear whether information posted on social media to a limited audience will be deemed to be publicly available.
Certain types of entities and certain types of categories are exempt from the requirements of the CPA. Entities regulated by the Gramm-Leach-Bliley Act (GLBA) are exempt from the CPA. Although the law does not completely exempt entities regulated by HIPAA, it does exempt various other types of personal data subject to other laws and regulations, including health-related information considered protected health information under HIPAA as well as certain clinical research data, and certain information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA).
The CPA provides Colorado consumers with the following rights regarding their personal data:
- Right of access. Consumers have the right to confirm whether a business is processing their personal data and to access their personal data.
- Right to opt out. Consumers have the right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- Right to correction. Consumers have the right to correct inaccuracies in their personal data. However, the nature and purposes of the processing of the consumer’s personal data must be taken into account.
- Right to deletion. Consumers have the right to delete personal data about themselves.
- Right to data portability. Consumers have the right to obtain their personal data in a portable format twice per year. This data must be in a readily usable format that allows the consumer to transmit the data to another entity without encumbrance, to the extent technically feasible.
- Right to appeal. Businesses must respond to consumer requests under the CPA within 45 days of receipt. This deadline may be extended for an additional 45 days if the consumer is notified within the initial 45-day period and the extension is reasonably necessary. If the business decides not to take action on the consumer’s request, it must inform the consumer how they can appeal the decision. The appeal process must be “conspicuously available” and easy for the consumer to use.
Controllers are required to respond within 45 days of the request, however this can be extended an additional 45 days under certain circumstances. Controllers are required to provide the information requested at no charge up to once per year, but may charge for additional requests within a 12 month period. Consumers may exercise these rights by submitting requests as described in the privacy notice. While controllers cannot require consumers to create a new account to exercise these rights, controllers can require the consumer to use their existing account.
In addition to permitting consumers to exercise their rights, the CPA imposes multiple new affirmative duties on controllers.
- Transparency. Controllers must provide consumers with a clear and meaningful privacy notice. The notice must be reasonably accessible and must include: (a) the categories of personal data collected or processed; (b) the purposes for which the personal data is processed; (c) a description of the consumer rights described above and how a consumer can exercise them; (d) the categories of personal data that are shared with third parties; and (e) the categories of third parties with whom the personal data is shared.
- Data Minimization. Controllers must limit collection of personal data to that which is relevant and reasonably necessary in relation to the specified purpose of the data processing.
- Purpose limitation. Controllers are required to clearly and conspicuously disclose the express purposes for which personal data is collected and processed. Controllers must first obtain the consumer’s consent for use of personal data that is not reasonably necessary or compatible with the disclosed purposes.
- Duty of care. Controllers must take reasonable measures to secure personal data from unauthorized acquisition during storage and use. Data security practices must be appropriate for the nature of the business and the amount and type of data processed.
- Avoiding Unlawful Discrimination. Controllers are prohibited from processing personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers.
- Consent for Processing Sensitive Data. Controllers must obtain consent before processing a consumer’s sensitive data. If processing sensitive data of a child, the business must first obtain consent from the child’s parent or lawful guardian. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. Sensitive data also includes personal data from a known child.
- Sales of Personal Data. Controllers must clearly and conspicuously disclose the sale of personal information or any processing of personal data for targeted advertising, and must provide consumers with an opportunity to opt-out of such activities.
- Data Protection Assessments for High-Risk Processing. Controllers must conduct and document a data protection assessment if their processing activities will present a heightened risk of harm to a consumer. Such activities include processing sensitive data, selling personal data, and targeted advertising or profiling if the profiling presents certain reasonably foreseeable risks.
- Processors and Data Processing Agreements. Processors are entities that process personal data for or on behalf of controllers. Processors are required to comply with the Controller’s instructions. Furthermore, processors are also required to assist the controller in meeting its obligations under the CPA, including by taking appropriate measures to assist in responding to. Consumer requests, helping meet the security and breach notification obligations, and providing necessary information to conduct data protection assessments. Controllers and processors must enter into a written agreement with terms and conditions that are similar to those of GDPR:
- Describes the purpose of the processing, the duration of the processing, and the types of personal data to be processed;
- Requires that each person involved in the processing be subject to a duty of confidentiality;
- Requires that the processor only use subprocessors pursuant to a similar contract and that the processor take responsibility for any subprocessors;
- Describes the allocation of responsibility for security measures;
- Requires the processor to either delete the personal data or return it to the controller, unless retention is required by law;
- Requires the processor to allow for and contribute to reasonable audits and inspection of the controller or a third party auditor. However, with the controller’s consent, the processor can retain an independent auditor and audit the processor’s policies and security standards against an appropriate and accepted control standard or framework; and
- Requires the processor to make available all information necessary for the controller to show compliance.
The CPA explicitly states that there is no private right of action for consumers. Instead, the CPA can be enforced by both the attorney general and district attorneys, who may bring an action in the name of the state or on behalf of individuals residing in the state. Until January 1, 2025, the attorney general is required to provide the organization 60 days to cure a violation before he or she can bring an action against the organization. However, this cure period will sunset on January 1, 2025, and no cure period is provided after that date.
The law does not specify any statutory fines. However, a violation of the CPA is considered a deceptive trade practice, which may be subject to fines of up to $2,000 per violation (up to $500,000) pursuant to the Colorado Consumer Protection Act for actions by the Attorney General, and for a minimum of $500 for actions brought by individual consumers. It is unclear if consumers in Colorado will try to use the Colorado Consumer Protection Act as a back door to litigate violations of the CPA as they have done in California.
While the currently enacted version of the CPA imposes some significant obligations on organizations that may be subject to the new law, organizations that have worked or are working towards compliance with California’s CCPA or CPRA or the GDPR will find significant overlap in those efforts and the policies and procedures adopted pursuant to those laws. However, organizations that have not been subject to other similar privacy laws, such as those in California, Virginia, or in Europe may need to expend significant resources in compliance. The uncertainty around the law as a result of Governor Polis’ request for amendments leaves businesses unable to work towards compliance just yet. Because the law is subject to change, organizations should prioritize the following activities that are likely to take a significant amount of time and that may be re-used across other privacy regimes or that have general applicability to a mature privacy program:
- Undertake a data mapping to understand the types of data the organization stores, the purposes for which they are used, and whether all data is needed.
- Perform a privacy impact assessment.
- Begin engagements with independent cybersecurity audit firms for high-risk processing.
- Update policies and procedures to comply with the new requirements and obligations of the CPA.
- Start developing business processes to allow consumers to exercise their new rights.
- Ensure the organization has a reasonably accessible, clear, and meaningful privacy notice that is compliant with the requirements of the CPA.
- Review business relationships with third-party data processors to understand the role of each party and potential requirements.
- Draft and adopt data privacy addenda with the clauses required under the CPA for use when contracting with third parties.
For more information about the Colorado Privacy Act and its requirements, please contact one of the authors listed below or any of the Partner or Senior Counsel core members of Foley’s cybersecurity practice.