On March 19, 2021, Colorado joined the growing list of states proposing privacy protections with the introduction of the bipartisan Colorado Privacy Act (CPA) bill, SB21-190, in the Colorado Senate. The CPA, if enacted, would provide Colorado consumers with additional protections for, and certain rights regarding, their personal data and would also impose new obligations on companies holding that data.
It will also exacerbate some compliance challenges that have already started to emerge from the patchwork quilt of state privacy laws that are arising. While the CPA is superficially similar to California’s CCPA and Virginia’s brand-new CDPA, subtle differences are likely to make consumer disclosures complicated and compliance with conflicting specific requirements confusing.
Who the CPA would apply to:
The CPA would govern the “personal data” of “consumers.” The CPA defines “personal data” as information that is linked or reasonably linkable to an identified or identifiable individual. A “consumer” is limited to a Colorado resident acting only in an individual or household context and not in a commercial or employment context.
The CPA would impose obligations on “controllers” and “processors” that process the personal data of Colorado consumers. The CPA defines a “controller” as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” means a person who processes personal data on behalf of a controller. The CPA would apply to all controllers that:
- conduct business or produce products or services targeted to Colorado residents; and
- control or process personal data of more than 100,000 consumers per year or derive a financial benefit from the sale of personal data and control or process personal data of at least 25,000 consumers.
However, the CPA has several carveouts to its applicability, and it would not apply to data governed by certain enumerated state and federal laws. For example, the CPA generally would not apply to data protected by HIPAA, the Substance Abuse Confidentiality Regulations (commonly referred to as the Part 2 regulations), the regulations for the Federal Policy for the Protection of Human Subjects (commonly referred to as the Common Rule), or the Gramm-Leach-Bliley Act. The CPA also would not apply to data maintained for employment records purposes.
What the CPA would require:
The CPA would allow Colorado consumers to exercise, and require controllers to respond to the exercise of, certain rights with regard to their personal data. Consumers’ rights would include:
- The right to opt out of the processing of personal data concerning the consumer, as well as the right to authorize another person to, on the consumer’s behalf, opt out of the processing of the consumer’s personal data for purposes of targeted advertising or the sale of the consumer’s personal data;
- The rights of access and data portability to confirm whether the controller is processing the consumer’s personal data and, if so, access that data in a portable and readily usable format to the extent technically feasible;
- The right to correction to correct any inaccurate personal data collected from the consumer; and
- The right to deletion to delete personal data concerning the consumer.
Consumers would be able exercise these rights by submitting a request to the controller. Within 45 days of receiving such a request (which may be extended up to another 45 days), the controller would be required to provide a response and either notify the consumer of the action taken in response, or if no action is taken, the reasons why. The controller would also be required to establish an internal appeals process under which a consumer would be able to appeal a refusal by the controller to take action on the consumer’s request to exercise his or her rights.
The CPA would also impose several additional duties on controllers. Most notably, controllers would be required to provide consumers with a privacy notice disclosing the categories of personal data collected, the purposes for which the personal data is processed, an estimate of how long the controller will maintain the personal data, an explanation of how consumers are to exercise the rights listed above, and information about the personal data the controller shares with third parties.
The CPA’s (mis)alignment with other states:
Almost all of these requirements are similar to provisions of California’s CCPA and Virginia’s CDPA, but details vary. For example, the disclosure of categories of personal information requirements are similar to California and Virginia, but define categories of data somewhat differently from either (which are also different from each other). Likewise, the exceptions to the deletion requirements are different, with each state allowing retention of different categories of data.
How the CPA would be enforced:
Unlike other state privacy laws that may be enforced directly by consumers, the CPA as currently proposed expressly states it does not authorize a private right of action to redress violations. Rather, the CPA would be enforced by the Colorado attorney general and district attorneys. Violators would be subject to an injunction and a civil penalty of up to $2,000 for each violation, with no penalty cap. While some other state laws require the attorney general to provide advance notice and opportunity to cure a violation prior to bringing an action, the CPA would not.
The fate of the CPA, and whether it will be enacted as proposed, remains uncertain. However, regardless of whether the CPA or some version of it ultimately becomes law, Colorado businesses would do well to remember that Colorado statutes requiring data security, data disposal and data breach reporting obligations remain on the books. The CPA, as currently drafted, would not alter any of these existing requirements. It is always prudent for businesses to, where applicable, review existing breach response plans, information security policies and data retention and disposal policies to ensure they are sufficient and compliant.