Colorado recently enacted a new comprehensive data privacy law, the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023.
The CPA applies to all controllers that conduct business in Colorado or produce or deliver commercial products or services that are targeted to Colorado residents and that: (i) control or process personal data of at least 100,000 consumers during a calendar year; or (ii) control or process personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. “Personal data” means “any information that is linked or reasonably linkable to an identified or identifiable individual” and does not include de-identified data or publicly available information.
The CPA does not apply to, among others, the following:
- Financial institutions or data subject to GLBA;
- Certain activities and data regulated under FCRA; or
- Data maintained for employment records purposes.
Note the term “controller” is generally defined as a person that determines the purpose and means of processing personal data. Additionally, “processor” means a natural or legal entity that processes personal data on behalf of a controller. Moreover, “process” or “processing” means any operation performed on personal data, such as the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data.
Consumer Rights and Requests
The CPA gives consumers certain rights with respect to their personal data. Specifically, under the new law, among other things, a Colorado consumer may submit a request to a controller to: (i) confirm whether a controller is processing the consumer’s personal data and access such personal data; (ii) correct inaccuracies in the consumer’s personal data; (iii) delete the consumer’s personal data; (iv) no more than twice per year, obtain a copy of the personal data previously provided by the consumer; and (v) opt out of the processing of the consumer’s personal data for certain purposes (e.g., targeted advertising or the sale of personal data). As of July 1, 2024, controllers must allow consumers to exercise their right to opt out through a user-selected universal opt-out mechanism.
Controllers must generally respond to a request from a consumer within 45 days of receipt of the request, but may extend the response period for an additional 45 days when reasonably necessary so long as the consumer is notified within the initial 45-day response period. Note that if a controller is unable to authenticate the consumer’s request using commercially reasonable efforts, the controller is not required to comply with the consumer’s request and may ask the consumer to provide additional information reasonably necessary to authenticate the consumer’s request. Further, a controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request. Note that within 45 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal. The controller must also inform the consumer of the consumer’s ability to contact the Colorado Attorney General (AG) if the consumer has any concerns about the result of the appeal.
Notice Requirements and Other Obligations
The CPA requires controllers to, in part, provide a privacy notice and describe how and where consumers may submit requests pursuant to their rights under the CPA. Moreover, the CPA imposes certain additional obligations on controllers related to: (i) the purposes for which personal data is collected and processed; (ii) security practices to protect personal data; (iii) compliance with state and federal anti-discrimination laws; and (iv) affirmative consent requirements to process sensitive data (as defined by the CPA). Controllers must also conduct and document certain data protection assessments.
In general, a processor must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CPA. According to the CPA, determining whether a person is acting as a controller or processor is a fact-based determination that depends upon the context in which personal data is to be processed.
Penalties and Enforcement
The CPA does not create a private right of action for consumers. However, the CPA allows the AG to seek injunctive relief and bring an enforcement action for deceptive trade practices under the Colorado Consumer Protection Act, which could result in a civil money penalty of up to $20,000 per violation (or up to $50,000 per violation if the consumer is elderly).