On June 8, 2021, the Colorado Senate passed SB21-190, the Colorado Privacy Act (CPA), as amended by the Colorado House of Representatives. Governor Jared Polis has 30 days to sign it into law, which he is expected to do. Passage of the CPA makes Colorado the third state in the United States to pass a comprehensive cross-industry privacy rights law.
The CPA is modeled on the failed Washington Privacy Act and Virginia’s already passed Consumer Data Protection Act (CDPA) but contains notable differences, including with respect to the scope of its exemptions and the rights it would provide to Colorado residents. Companies already subject to the California Consumer Privacy Act (CCPA), Virginia’s CDPA and the EU’s Global Data Protection Regulation (GDPR) will have a leg up in preparing for the CPA. However, a thoughtful readiness program is needed to comply with the CPA’s unique provisions and to efficiently integrate with existing business operations.
How did the CPA pass?
On March 19, 2021, Colorado lawmakers introduced the CPA. On May 26, 2021, the Colorado Senate unanimously passed the CPA. With its passage on June 8, 2021, after amendments made by the House of Representatives, it was passed within a three-month period despite numerous significant changes to the law as first introduced. This also makes it one of the most quickly passed privacy laws in America. The CPA’s passage takes on additional significance following high-profile failures of comprehensive privacy legislation in Washington and Florida earlier this year and as the clock continues to run on similar efforts in other state legislatures.
Who will be regulated?
The CPA applies to companies that conduct business in Colorado or provide products or services that are intentionally targeted to residents of Colorado and that either (1) control or process the personal data of 100,000 or more Colorado residents annually or (2) derive revenue or receive a discount on the price of goods or services from the “sale” of personal data and process or control the personal data of 25,000 or more Colorado residents. The CPA does not contain a monetary threshold for applicability such as those found in the CCPA and the California Privacy Rights Act (CPRA).
The CPA includes various exemptions that will be familiar to U.S. privacy professionals, including those related to health care entities and health data, such as protected health information under HIPAA, patient identifying information maintained by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research. Additional exemptions include personal data collected for the purposes of the Gramm-Leach-Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), and Family Educational Rights and Privacy Act (FERPA). Finally, data maintained for employment records purposes are exempted as well.
While a “consumer” under the CPA means a natural person who is a resident of Colorado, it expressly does not include “an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” Effectively similar exemptions exist in the CCPA and CPRA, and in Virginia’s CDPA.
What are the main obligations?
Colorado’s legislature studied the CCPA and other proposed privacy laws, including this year’s version of the Washington Privacy Act, in crafting the CPA. The controlling elements of the CPA are amalgams of the various laws with some specific exceptions, including those highlighted below.
Definition of ‘Sale’
The definition of “sale” under the CPA substantially limits the instances in which an exchange of protected data will be considered a sale by requiring that the exchange be for the purpose of (1) third-party licensing or (2) selling personal data to other third parties. It requires monetary or other valuable consideration, which is similar to the Virginia CDPA and distinguishable from California’s law, but the limitation to third parties is significant.
There are two narrow exemptions to the definition of sale. First, it is not a sale if “a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party.” This exception (which also appears in the CPRA) would arguably implicate cookie consent banners, among other things. Second, it is not a sale if the personal data is “intentionally made available to the general public via a channel of mass media and [the consumer] did not restrict to a specific audience.” This exception would, among other things, appear to exclude activities such as data scraping.
The definition substantially limits the instances in which an exchange will be considered a sale by requiring that the exchange be for the purpose of third-party licensing or selling personal data to other third parties. Virginia’s CDPA as well as the CCPA and CPRA do not contain this limitation, and the Nevada Legislature recently amended Nevada’s narrow opt-out law to remove this limitation as well.
Right to Opt Out of Processing
The CPA contains the right to opt out of the processing of personal data in three instances: (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. These are the same three categories contained in the Virginia CDPA. However, Colorado’s definition of “sale” is arguably narrower (as explained above), and it concerns only profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning a consumer.
The CPA requires providing consumers with “clear notice” and “the opportunity to opt out of processing” of sensitive data. This is significantly narrower than the original bill as proposed, which would require companies to obtain a consumer’s affirmative consent prior to processing sensitive data.
Universal Opt-Out Mechanism
Effective January 1, 2024, a company that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers to exercise the right to opt out of the processing of such data through a “user-selected universal opt-out mechanism.” This is a meaningful development in privacy law related to opting in and out, which has the potential to dramatically impact online business and advertising. Companies engaging in online advertising in Colorado should consult a lawyer regarding their opt-out mechanisms.
The attorney general’s office is permitted to promulgate regulations for technical specifications for such opt-out mechanisms by December 31, 2023. The CPA sets forth a number of requirements for those regulations, including requiring the opt-out to represent the consumer’s affirmative consent, to be consumer-friendly and to accurately authenticate the consumer.
How is it enforced?
The Colorado attorney general’s office and state district attorneys will enforce the CPA. The CPA provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations.
The CPA adds a right to cure that requires the attorney general or district attorneys to first notify a business of an alleged violation. A business then has 60 days to cure the violation. The attorney general and district attorneys must provide an entity notice and allow it 60 days to cure any alleged violation, but this provision will sunset on January 1, 2025. As with the CCPA and CDPA, the ability to cure an alleged violation will need significant attention and advice of counsel should the opportunity to cure arise.
There is no express private right of action for Colorado residents. This is similar to the Virginia CDPA.
What happens next?
Most of the CPA’s substantive provisions will not take effect until July 1, 2023, which would give covered businesses a two-year grace period in which to prepare. Companies doing business in Colorado should begin evaluating what procedures can be put in place in the relatively short two-year run-up in order to be CPA compliant. In the meantime, Manatt will continue to monitor legislative developments across the country.