Colorado is now the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia. The Colorado Privacy Act (the “CPA”), passed by the state’s General Assembly as SB 190, is currently awaiting signature by Governor Jared Polis. If signed, the CPA will become effective July 1, 2023.
The CPA includes a mix of concepts similar to those found in other comprehensive privacy legislation passed in the U.S. (e.g., the California Consumer Privacy Act (the “CCPA”) and Virginia’s Consumer Data Protection Act (the “CDPA”)), as well as the European Union’s General Data Protection Regulation (the “GDPR”). Key aspects of the CPA include the following:
- Controllers & Processors: Like the GDPR, the CPA uses the terms “controller” and “processor”, and uses very similar definitions for each of these terms. The CPA defines the term “controller” as a person that, alone or jointly with others, determines the purposes for and means of processing personal data, and the term “processor” as a person that processes personal data on behalf of a controller.
- Personal Data. The CPA defines “personal data” as information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information (e., information that is lawfully made available from federal, state or local government records, or information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public).
- Consumers. Like the CCPA, the CPA covers personal data of consumers. A “consumer” is defined as an individual who is a Colorado resident acting only in an individual or household context, not an individual acting in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context.
- Applicability. The CPA applies to controllers that conduct business in Colorado or that produce or deliver products or services that are intentionally targeted to Colorado residents and that either (1) control or process personal data of at least 100,000 consumers per calendar year, or (2) derive revenue or receive a discount from the sale of personal data and control or process the personal data of at least 25,000 consumers.
- Exceptions. The CPA does not apply to certain types of personal data (g., protected health information), personal data governed by specified state and federal laws (e.g., HIPAA, GLBA, FERPA), personal data collected in connection with certain activities (e.g., personal data collected by a consumer reporting agency), or employment records.
- Individual Rights. Like the CCPA and GDPR, consumers are granted certain rights under the CPA, including the right to: (1) opt out of processing for the purposes of targeted advertising, the sale of personal data or certain profiling activities; (2) access, correct or delete their personal data; and (3) obtain a portable copy of their personal data. Controllers must respond to an individual rights request within 45 days of receipt of such request, which may be extended by an additional 45 days where reasonably necessary. A business is not obligated to respond to an individual rights request if it cannot authenticate the request using commercially reasonable efforts.
- Sensitive Data. A controller must obtain the consumer’s consent prior to processing sensitive data. The CPA defines “sensitive data” as (1) personal data revealing racial or ethnic origin religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (2) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (3) personal data from an individual known to be under age 13.
- Sales of Personal Data. Like the CCPA, the CPA includes a fairly broad definition of the term “sale”, which means the exchange of personal data for monetary or other valuable consideration by a controller to a third party. The term “sale” does not include (among other things): (1) the disclosure of personal data to a processor that processes personal data on behalf of a controller; (2) the disclosure of personal data as an asset as part of a merger, acquisition or bankruptcy; or (3) the disclosure of personal data that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party. If a controller sells personal data or processes personal data for targeted advertising, the controller must disclose these activities and provide a manner for opting out of these activities.
- Notice Requirements. Controllers must provide a reasonably accessible, clear and meaningful privacy notice to consumers that includes, among other things: (1) the categories of personal data collected or processed by the controller or a processor; (2) purposes for which personal data is processed; (3) how and where to exercise a consumer’s individual rights; (4) the categories of personal data shared with third parties; (5) the categories of third parties with whom the controller shares personal data; and (6) the express purposes for which personal data is processed.
- Use of Processors. Similar to the GDPR, the CPA requires controllers to have a binding contract with each of its processors that sets forth the applicable instructions for processing personal data and includes certain provisions (g., imposing confidentiality obligations on individuals processing personal data; engaging a subcontractor only after providing the controller with notice and an opportunity to object; and an obligation to delete or return personal data to the controller at the end of the provision of services). Additionally, processors are obligated to assist the controller in meeting its obligations under the CPA, including (1) taking appropriate technical and organizational measures to assist the controller in responding to individual rights requests, (2) helping to meet the controller’s obligations related to the security of processing personal data and in connection with notifications of security breaches, (3) providing information to the controller necessary to conduct a data protection assessment, and (4) allowing for and contributing to audits and inspections by the controller.
- Data Minimization. A controller’s collection of personal data must be adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data is processed.
- Data Security. Controllers must take reasonable measures to secure personal data from unauthorized acquisition during both storage and use. The data security measures must be appropriate to the volume, scope and nature of the personal data processed and the nature of the controller’s business.
- Data Protection Assessments. A controller cannot conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data. This includes where the processing involves targeted advertising or profiling, selling personal data, or processing sensitive data. The controller is required to make the assessment available to the Attorney General upon request.
- Enforcement. The CPA may be enforced by the Colorado Attorney General or a district attorney. The CPA does not include a private right of action. Prior to any enforcement action, the Attorney General or district attorney must issue a notice of violation to the controller and give the controller 60 days to cure, unless the violation is incurable.
The Attorney General is authorized to promulgate rules for carrying out the CPA, which will likely provide additional clarity regarding the specific provisions of the CPA and how they will be interpreted and enforced. Entities that are already in compliance with the GDPR and the CCPA or the CDPA are likely largely in compliance with the CPA already. However, entities that are not subject to the GDPR, the CDPA or the CCPA, but that are subject to the CPA, should start planning now how to comply with the CPA by July 2023.