Colorado may soon enter the national stage for its new privacy legislation. On June 8, 2021, Colorado's legislature passed the Colorado Privacy Act (SB21-190) (ColoPA). The bill was recently sent to the Colorado governor's desk, where he will have until July 8 to sign or veto the bill, otherwise it will become law without his signature. If Governor Jared Polis signs the bill or does not act on it (and assuming the act is not put to a referendum), Colorado will become the third U.S. state to enact comprehensive privacy legislation, after California and Virginia.
ColoPA mimics the California Consumer Privacy Act (CCPA), California Consumer Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and the EU General Data Protection Regulation (GDPR) in numerous ways. For example, ColoPA prescribes data rights for consumers and duties for controllers and processors of data. Similar to the VCDPA and the GDPR, it assigns controllers the responsibility of conducting data protection assessments (DPAs) for certain activities. ColoPA tracks more closely to the VCDPA with regard to its robust rights to opt out of the sale of personal data and opt out of the processing of personal data for targeted advertising and certain types of profiling, as well as its requirement to obtain consent before processing sensitive personal data. Unless the bill is vetoed, ColoPA will go into force on July 1, 2023.
- Operationally, ColoPA contains significant overlap with the VCDPA and CPRA regarding the privacy rights businesses must offer to Colorado residents and the privacy policies and procedures companies and vendors will have to implement to comply with the law.
- ColoPA uses scoping thresholds functionally identical to the VCDPA, but unlike the CCPA, CPRA, and VCDPA, ColoPA does not contain an exemption for nonprofit organizations. If ColoPA is enacted, a nonprofit meeting one of the ColoPA threshold criteria would be subject to the law.
- ColoPA creates rights for Colorado residents to opt out of the sale of personal data and opt out of the processing of personal data for targeted advertising and certain types of profiling. The law also creates rights of access, correction, deletion, and data portability, largely mirroring the VCDPA and overlapping substantially with the CPRA.
- Like the VCDPA, ColoPA requires businesses to obtain consent1 before processing sensitive personal data.2 This contrasts with the CPRA's more limited opt-out approach for certain uses of sensitive personal data.
- ColoPA is also the second U.S. state privacy law, after the CPRA, to address the concept of "dark patterns" and expressly state that consent obtained via dark patterns is not valid. This may signal that U.S. legislators and regulators alike are becoming increasingly interested in the potential for interface design to manipulate consumer behavior, given that the FTC hosted a dark patterns workshop earlier this year.
- ColoPA is the second U.S. state privacy law to require data protection assessments, largely tracking those required by the VCDPA. This may be a sign that the EU-style risk-of-harm-based approach may become more prevalent in future U.S. state privacy laws.
- If signed into law, the ColoPA will come into effect July 1, 2023, six months after the CPRA and VCDPA come into force. Many companies operating across the U.S. will be subject to all three new state privacy laws (Colorado, Virginia, and California) in early-mid 2023 and should therefore consider taking a proactive approach to begin developing their compliance strategy early.
- ColoPA does not create a private right of action. Rather, only Colorado's attorney general and district attorneys will be able to enforce the law. ColoPA also includes a 60-day cure period for violations, but that cure provision is set to automatically sunset on January 1, 2025.
- A patchwork of U.S. state privacy laws is emerging, making nuanced analysis of applicable laws critical, especially given that each law has unique features.
ColoPA applies to controllers that conduct business or produce commercial products or services that are intentionally targeted at Colorado residents and that satisfy one or both of the following thresholds: 1) control or process3 personal data of 100,000 consumers or more during a calendar year; or 2) derive revenue (or receive a discount on the price of goods and services) from the sale of personal data and process or control the personal data of 25,000 consumers or more. ColoPA defines "consumer" as a Colorado resident acting only in an individual or household context. Mirroring the VCDPA, ColoPA expressly excludes individuals acting in a commercial or employment context from the definition of consumer, meaning the personal data of employees, contractors, or job applicants is exempt from ColoPA. In contrast, the California privacy laws and GDPR may apply to employee, contractor, or job applicant data.
Similar to the VCDPA, ColoPA extends broad, status-based exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), and state institutions of higher education. ColoPA also contains certain data-based exemptions, particularly around protected health information under HIPAA and health records under related laws, and personal data regulated by the Fair Credit Report Act (FCRA), the federal Driver's Privacy Protection Act (DPPA), the Children's Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act (FERPA). Finally, ColoPA carves out industry-based exemptions for personal data processed by air carriers, national securities associations, and public utility companies.
Similar to the California privacy laws, VCDPA, and GDPR, ColoPA grants consumers rights regarding their personal data, which the ColoPA defines as "information that is linked or reasonably linkable to an identified or identifiable individual" and excludes de-identified or publicly available information. Specifically, ColoPA provides the consumer rights of access, correction, deletion, and data portability. Following the VCDPA's example, ColoPA also grants consumers the right to opt out of the processing of their personal data for the purpose of targeted advertising, sale, and profiling decisions that have legal or similarly significant effects. ColoPA also prohibits the processing of sensitive data without first obtaining the consumer's consent. Notably, ColoPA defines "sale" to mean "the exchange of personal data for monetary or other valuable consideration by a controller to a third party," thus adopting a broader definition of sale similar to California's privacy laws rather than the VCDPA's more limited definition that includes only an exchange of personal data for monetary consideration.
Under ColoPA, consumers may exercise their opt-out right via a third party, including via a universal opt-out mechanism that meets the requirements set out by the state attorney general (to be established by July 1, 2023). ColoPA requires this opt-out method to be provided clearly and conspicuously within and outside of the law's required privacy notice. While compliance with the universal opt-out mechanism will initially be optional, it will be required beginning July 1, 2024.
Consistent with the CCPA, CPRA, and VCDPA, controllers must respond to consumer requests within 45 days and this time period can be extended for an additional 45 days. As with the VCDPA, all consumer requests must be authenticated. ColoPA also specifies grounds on which a controller may deny a consumer's request, one of note being that the data is pseudonymized (defined to mean the data can no longer be attributed to a specific individual without the use of additional information) and the controller keeps the information necessary to re-identify the data separately, subject to effective technical and organizational measures to prevent access. Similar to the VCDPA, ColoPA requires the establishment of an appeals process allowing a consumer to appeal any denials of requests.
Controller and Processor Duties
Like the GDPR and VCDPA, ColoPA uses a controller/processor framework and places primary compliance obligations on controllers. ColoPA defines "controller" as a person that, alone or jointly with others, determines the purposes and means of processing. Processors are persons or entities that process data on behalf of the controller. Both processors and controllers must ensure an appropriate level of data security. Like its predecessors in California and Virginia, ColoPA requires a binding written contract in place between controllers and processors that clearly allocates responsibilities, sets out processing instructions, delineates the type of personal data to be processed, outlines deletion and retention requirements, and provides for audit procedures. This contract cannot relieve a controller or processor from the liabilities imposed on them by ColoPA.
ColoPA also imposes a few obligations directly upon processors. Specifically, processors are required to assist the controller in 1) responding to consumer requests, 2) meeting its security and data breach notification obligations, and 3) providing information to the controller for the purpose of conducting DPAs. Processors are also required to 1) ensure that persons processing personal data are subject to a duty of confidentiality and 2) require subcontractors engaged by the processor to meet the same obligations with respect to personal data as the processor and provide controllers an opportunity to object to any subcontractors.
Most notably, following the VCDPA's example, ColoPA will require controllers to conduct DPAs for processing activities that present a heightened risk of harm to a consumer. Such processing activities include processing for targeted advertising, selling personal data, or processing sensitive data. If processing for purposes of profiling presents a foreseeable risk of unfair or deceptive treatment, financial or physical injury, or an intrusion into the consumer's private life that would be offensive to a reasonable person, a DPA would also be required. Conducting a DPA requires controllers to identify and weigh the benefits of processing activities against the risk of harm to consumers. DPAs are required for processing activities created or generated after July 1, 2023, and they are not retroactive.
Like the existing California and Virginia laws, ColoPA requires controllers to post a privacy notice that includes the categories of personal data collected or processed, the purposes for which the data is processed, the categories of personal data shared with third parties, and the categories of third parties with whom personal data is shared. The privacy notice must also clearly inform the consumer of how they may exercise their data rights and appeal adverse decisions.
Finally, ColoPA also includes a GDPR-esque purpose specification requirement that controllers must "specify the express purposes for which personal data are collected and processed," and must not process personal data for purposes other than those reasonably necessary to or compatible with the specified purpose for which the data was processed unless the consumer provides consent. ColoPA also establishes duties of data minimization, requiring controllers' collection of personal data be adequate, relevant, and limited to what is reasonably necessary for the specified purposes for which the data are processed, a new "duty of care" requiring controllers to take reasonable measures to secure data from unauthorized access, and certain anti-discrimination requirements.
Enforcement and Civil Penalties
ColoPA will be exclusively enforced by the Colorado attorney general or district attorneys, as it expressly does not create a private right of action for consumers. At least initially, ColoPA will include a 60-day cure period for violations, but that cure provision is set to automatically sunset on January 1, 2025. The Colorado attorney general also has rulemaking authority with regard to the technical specifications of an opt-out mechanism and is required to adopt such rules no later than July 1, 2023. For the purposes of enforcement, violations of the ColoPA will be treated as deceptive trade practices in accordance with the Colorado Consumer Protection Act.4 As such, the penalty for violating the ColoPA can include injunctive relief and civil penalties up to $20,000 per violation, with each consumer or transaction involved constituting a separate violation and enhanced penalties for violations affecting the elderly.
Consent means “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.” 6-1-1303(5).
Sensitive data includes personal data revealing race, ethnic origin, religion, mental or physical health, sex life or orientation, citizenship status, personally identifiable genetic or biometric data, and personal data from a known child. 6-1-1303(24)(a)-(c).
Process means the “collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.” 6-1-1303(18).
Colo. Rev. Stat. § 6-1-101 et seq.