What Businesses Are Covered?
The Colorado Privacy Act (CPA) applies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and either (1) control or process personal data of more than 100,000 consumers per calendar year, or (2) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The CPA does not apply to personal data governed by delineated state and federal laws or employment records.
There are several notable concepts and terms in the CPA that impact the requirements and applicability of the provisions. They are:
- “Consent”: Consent under the CPA is opt-in consent. Consent requires a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means…” This is more in line with European standards of consent and departs from historical US standards of opt-out consent.
- “Consumer”: The Colorado Privacy Act applies to consumers. A consumer is defined as an “individual who is a Colorado resident acting only in an individual or household context.” The term consumer explicitly excludes individuals acting in a commercial or employment context, such as a job applicant, or as a beneficiary of someone acting in an employment context.
- “Controller”: Similar to the European concept, the CPA defines a controller as a person or entity that “alone or jointly with others, determines the purposes for and means of processing personal data.”
- “Dark Pattern”: Dark patterns are increasingly covered by new and draft regulations. Under the CPA, dark pattern means “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.”
- “Personal Data”: Personal data is simply defined as “information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.”
- “Processor”: A processor is a person or entity that processes personal data on behalf of a controller. These are frequently service providers and vendors.
- “Profiling”: Profiling means “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Requirements for profiling will affect the use of artificial intelligence and other personal data automated processing systems.
- “Sale”: The sale of personal data is also addressed by the CPA, which defines sale as an “exchange of personal data for monetary or other valuable consideration…” This definition of sale includes “other valuable consideration” in the definition, which is similar to the California privacy law.
- “Targeted Advertising”: The CPA defines targeted advertising as displaying an advertisement based on personal data “obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.”
Data Subject Rights
Controllers must provide Colorado consumers the following data subject rights:
- Right to opt-out of the processing of personal data, including processing for the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects;
- Right of access to confirm whether a controller is processing personal data;
- Right to correct inaccuracies of personal data;
- Right to delete personal data; and
- Right to obtain a portable copy of data.
Controller and Processor Responsibilities
While many of the requirements for controllers and processors set forth under the CPA will be familiar, including data subject rights (listed above) and other requirements regarding the secure handling of personal data, some notable requirements under the CPA include:
- Data protection assessments: Controllers must conduct a data protection assessment for processing activities involving personal data that present a heightened risk of harm, including for example, processing personal data for targeted advertising or processing sensitive data.
- Processor obligations: Processors must assist controllers with obligations under the CPA, including assisting with data subject requests by taking appropriate technical and organizational measures.
- Restrictions on subcontractors: Processors must also provide controllers with an opportunity to object before engaging a subcontractor. This is frequently an issue in data processing agreements between controllers and processors.
- Data processing agreements: Processing by a processor must be conducted under a contract between the controller and processor that is binding on both parties. There are specific provisions that must be included such as the type of personal data subject to the processing, the duration of the processing, and processing instructions to which the processor is bound.
- Limitations on use of personal data: There are several duties imposed on controllers that will limit use of personal data. These include the duty to avoid secondary use so the controller does not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed. Controllers also have the duty of data minimization such that the controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary.
- Ban on dark patterns when obtaining consent: The CPA defines “consent” as opt-in consent (see definition above). In obtaining consent, the CPA addresses the use of dark patterns, which are misleading or manipulative designs (see definition above). Dark patterns are increasingly gaining attention from legislators and regulators, as dark patterns can be overt but are often subtle.
The CPA can be enforced by district attorneys and attorneys general via injunctions or civil penalties. Civil penalties may be up to $2,000 per violation, not to exceed $500,000 for any related series of violations. Helpfully, through January 1, 2025, the CPA provides a cure period. Prior to enforcement, the attorney general or district attorney must first issue a notice of violation if a cure is deemed possible. The controller has sixty days to cure the violation.
There is no private right of action for violations of the CPA.
What Is Next?
The CPA is scheduled to take effect on July 1, 2023. Further guidance may be released by the Attorney General. The CPA states that by January 1, 2025, the Attorney General may adopt rules for the process of issuing opinion letters and interpretive guidance.
As both the new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (CDPA) go into effect January 1, 2023; companies are well-advised to start preparing for these laws for the rest of 2021 and in 2022. Much of the efforts required to comply with the CPRA and CDPA will assist with CPA compliance as well.