For companies already in compliance with the CCPA and GDPR, or that are actively preparing for compliance with the CPRA and VCDPA, similar (although not identical) obligations under the CPA as well as a temporary 60-day cure period may make achieving compliance with the CPA more manageable. However, the CPA’s expanded consumer opt out rights as well as unique obligations placed on data controllers will require companies subject to the law to further assess their privacy programs and amend their privacy and security practices and policies accordingly before the law takes effect in July 2023. In this post, we provide an overview of applicability of the CPA and key provisions which may impact businesses’ privacy compliance plans.
Applicability and Scope
The CPA applies to entities that conduct business in Colorado or that produce or deliver commercial products or services that intentionally target Colorado residents and that either (1) control or process personal data of more than 100,000 consumers per year or (2) derive revenue (or receive discounts) from the sale of personal data and control or process data of at least 25,000 consumers. The CPA defines a consumer as “a Colorado resident acting only in an individual or household context.”
While still broad, the CPA’s threshold requirements and limiting definitions likely mean that many small businesses, as well as businesses that operate solely in the B2B context, will fall outside the CPA’s purview. The CPA explicitly omits from the definition of consumer individuals acting in “a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” The CPA also explicitly exempts certain types of entities and categories of data, including state agencies or political subdivisions of Colorado, entities or data subject to GLBA, higher education institutions, and data collected by covered entities or business associates governed by HIPAA. Notably, the CPA does not expressly exempt non-profit entities, nor does it provide an entity-level exemption for HIPAA-regulated entities.
Consumer Rights, Universal Opt-Out, and Appeals
The CPA provides consumers with familiar rights of access, correction, and deletion, as well as the right to data portability. The CPA also provides consumers with the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. This opt out right is similar to that found in the VCDPA; however, Colorado defines “sales” using a broader CCPA-style definition that includes transfers for “monetary or other consideration.” The CPA expressly directs the Colorado Attorney General to establish technical requirements for a universal opt-out mechanism that, effective July 1, 2024, would allow consumers to click a single button to exercise all opt-out rights. This global opt appears to be broader than that contained in the CPRA and would apply to both sales of data as well as targeted advertising.
Additionally, the CPA requires that controllers establish an appeal process for consumers to appeal a controller’s refusal to comply with a rights request and provides that this process “must be conspicuously available and easy to use.” Consumers must also be informed of their ability to contact the attorney general in the event they have any concerns about the result of an appeal
The CPA imposes a strict opt-in consent standard for secondary uses of personal data as well as the processing of sensitive data (including data revealing racial or ethnic origin, health data, biometric data, data about religious beliefs, sex life and sexual orientation, citizenship or citizenship status, genetic data, and data of a known child under the age of 13). The CPA defines consent as “a clear, aﬃrmative act signifying a consumer’s freely given, speciﬁc, informed, and unambiguous agreement,” aligning with the GDPR, CPRA, and VCDPA consent standards.
Similar to the CPRA, the CPA does not allow for consent obtained through “dark patterns” (defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice”). Parental consent is also required to process the data of a consumer under 13 years of age.
Written Data Protection Assessments
Colorado’s new law requires that data controllers conduct written data protection assessments for processing activities that present a “heightened risk of harm to a consumer.” This includes processing sensitive data, selling personal data, and processing personal data for targeted advertising or profiling that presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- Financial or physical injury to consumers;
- A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
- Other substantial injury to consumers.
Beginning July 1, 2023, controllers will be required to make these written assessments available upon request to the Colorado Attorney General for compliance evaluations. While the written data protection assessment requirement does not apply to data processing activities created or generated before July 1, 2023, entities covered under the CPA will want to ensure they have an established and workable procedure in place for conducting these assessments in advance of this deadline, as the Colorado Attorney General can start requesting production of these documents as of this date.
Data Processing Contracting Requirements
The CPA requires data controllers to include specific contractual provisions in any contract for data processing performed on their behalf. These requirements are similar to those under the GDPR and require that contracts must include processing instructions by which the processor will be bound as well as a description of the purpose of the processing, type of personal data which will be processed, technical and organizational data safeguards in place, limitations on the use of subcontractors, data retention obligations, and controller audit rights.
There is no private right of action under the CPA. Instead enforcement power resides with the Attorney General and Colorado District Attorneys. For the first two years after the law is enacted, entities will have a 60-day notice and cure period to remedy any violations of the law before the Colorado Attorney General or District Attorneys can initiate an enforcement action. This cure period will be automatically repealed on January 1, 2025. A violation of the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act and thus subject to injunctive relief and civil penalties of up to $20,000 per violation.
The Colorado Attorney General has the authority to promulgate rules for the purpose of carrying out the Act and may adopt rules concerning opinion letters and interpretive guidance concerning the law by January 1, 2025.
The CPA is set to go into effect on July 1, 2023, just six months after the CPRA and VCDPA. However, the CPA allows for Colorado Voters or the General Assembly to call for a referendum on all or part of the CPA before September 6, 2021, which would require a vote in the November 2022 election. Additionally, the Governor signaled support for supplemental “clean up” legislation related to the law in the next legislative session. Forthcoming regulations and potential supplemental legislation may further refine the law or lead to a delay in its effective date. As businesses watch these developments unfold, they should begin to consider how to integrate CPA requirements into their compliance plans as they plan to adapt for both the CPRA and VCDPA.
The full text of the CPA can be found here.
For summary of the key differences between the CPA, CPRA, and VDCPA, see our previous blog here.