There are many similarities between the Colorado Privacy Act (ColoPA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data privacy Act (VCDPA), and Europe’s GDPR, which gives companies that are compliant— or are working towards compliance— with these other laws a substantial headstart with ColoPA compliance.
In a signing statement on July 8, 2021, the Colorado Governor, traditionally a strong privacy advocate, expressed concern that the law may go too far. However, the Colorado Attorney General, Phil Weiser, embraced the law, stating that the “core part of the Colorado data privacy bill that really matters is consumers will have the ability to control and dictate how their data is used.” For the ColoPA, a consumer’s ability to control and dictate their data, like for California and Virginia, means that consumers will have rights around the processing of sensitive data, opting-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling (defined to include automated decision-making). These restrictions for all three laws, though, generally do not impede internal-only processing of personal data for a business’ own targeted advertising (except to the extent sensitive personal information is involved).
In a stark departure, however, the ColoPA calls for the Attorney General to develop technical rules for a mandatory universal opt-out signal to allow consumers to simultaneously opt out from all targeted advertising, sale of personal data and use of their data for profiling. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out by July 1, 2024.
Apart from this difference, the ColoPA largely tracks the California and Virginia laws, and like most new privacy laws, borrows heavily from the GDPR. There are some differences, outlined below; but there is a large degree of regulatory convergence, such that a well-designed compliance program should be able to efficiently accommodate all these laws.
- ColoPA applies to Controllers that conduct business in Colorado or intentionally market products or services to Colorado residents and (i) either control or process the personal data of 100,000 or more Colorado residents in a calendar year or (ii) derive revenue or cost savings from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. Unlike the CCPA, and like the VCDPA, a Controller will only be subject to the law based on the volume of personal information processed, regardless of total revenue. Unlike both Virginia and California, a company receiving any revenue or savings from the sale of data is subject to the ColoPA, so long as the 25,000 processing threshold is met. 6-1-1304(1).
Gramm-Leach-Bliley Act and other exceptions
- ColoPA, like the VCDPA, provides an entity-level exemption for financial institutions or affiliates subject to the federal Gramm-Leach-Bliley Act (GLBA). ColoPA § -1-1304(2)(q). In addition, the ColoPA exempts data collected, processed, sold or disclosed pursuant to GLBA. ColoPA § 6-1-1304(2)(j)(II).
- Similar to the CCPA/CPRA and the VCDPA, ColoPA excludes data regulated by the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, certain health data, and other statutory and institutional exemptions. ColoPA § 6-1-1304(2)(j)(IV).
Consent for sensitive personal information processing
- ColoPA, like the VCDPA, requires companies to obtain prior, affirmative consent from the consumer (or parent/guardian in the case of minors) to process sensitive data. Sensitive data is personal data that reveals “racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual relationship, or citizenship or citizenship status” or “genetic or biometric data that may be processor for the purpose of uniquely identifying an individual” or personal data from a “known child” – i.e., an individual under thirteen years of age. ColoPA §§ 6-1-1303(4), (24).
- The CCPA/CPRA generally does not require consent prior to the processing of personal information. However, the CPRA does provide a consumer the right to request limited use of his or her sensitive personal information to that which is necessary to provide reasonably expected services. Cal. Civ. Code § 1798.121.
Right of access and portability
- All three laws provide a right of access and portability. They provide consumers with a right to have Controllers confirm whether they process personal data about a consumer, to access that data and to obtain that data in a portable format. ColoPA § 6-1-1306(1)(e).
Right to correction
- The ColoPA, like the VCDPA and CPRA (although not the CCPA) allows consumers the right to correct inaccuracies in their personal data. ColoPA § 6-1-1306(1)(c).
Right to deletion
- All three laws provide consumers the right to delete their personal data. ColoPA § 6-1-1306(1)(d).
- The ColoPA provides fewer express exemptions to the requirement to honor consumer deletion requests than the CCPA/CPRA does, but the effect is likely largely the same—if there is a lawful reason or justification to retain the data (e.g. for tax or regulatory reasons, to perform on a contract, etc.), the Controller can retain it. ColoPA § 6-1-1308(4).
Right of appeal
- The ColoPA, like the VCDPA, requires each Controller to provide consumers an appeals process where it denies a consumer rights request. This appeal process must be conspicuously available and easy to use. The Controller must respond to the appeal within 45 days and provide notice to the consumer that they can contact the state Attorney General about the result of the appeal. ColoPA § 6-1-1306(3)(a-b). The CCPA/CPRA do not require Controllers to develop a mechanism for consumers to appeal denials of consumer rights request, but do require that if such processes exist, the consumer must be informed of it at the time of the denial. Cal. Civ. Code § 1798.145.
Data protection assessments
- ColoPA, like the VCDPA, requires Controllers to conduct data protection assessments to evaluate risks associated with high-risk processing activities, including those related to sensitive data, data sales, and personal data processed for targeted advertising and profiling. (Applicable only to processing activities from July 1, 2023 forward.) ColoPA § 6-1-1309(1). The CCPA does not provide for a data protection assessment, but the CPRA will require a data protection assessment, with specific rules to be determined by forthcoming rulemaking.
- ColoPA imposes explicit duties on Controllers, including:
- the duty of transparency, which requires Controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice;
- the duty of purpose specification, requiring Controllers to specify the express purposes for which personal data are collected and processed;
- the duty of data minimization, which requires that the collection of personal data must be limited to what is adequate, relevant and limited to the specific purposes;
- the duty to avoid secondary use, which prohibits Controllers from processing personal data for purposes not reasonably necessary to the specified purposes, unless the Controller obtains consumer consent;
- the duty of care, which requires Controllers to take reasonable measures to secure personal data during both storage and use;
- the duty to avoid unlawful discrimination, which prohibits Controllers from processing personal data in violation of state or federal law; and
- the duty regarding sensitive data, which prohibits Controllers from processing a consumer’s sensitive data without first obtaining the consumer’s consent. ColoPA § 6-1-1308.
- ColoPA, like the VCDPA and CCOA, provides general exemption to perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the Controller. ColoPA § 6-1-1304(3)(a).
Private right of action
- The ColoPA, like the VCDPA and unlike the CCPA/CPRA, does not provide a private right of civil action. The CPRA allows for a private right of civil action for a consumer whose non-encrypted and non-redacted personal information or whose email address in combination with a password or security question and answer that would permit access to the account is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices. Cal. Civ. Code § 1798.150 (effective Jan. 1, 2023).
- ColoPA grants enforcement authority to State Attorney General and State District Attorneys with a maximum fine of $20,000 per violation. Any violation of ColoPA is deemed by statute to be a deceptive trade practice. The State District Attorney enforcement authority may result in more localized and frequent enforcement, whereas California and Virginia’s enforcement is more likely to target fewer, more egregious, violations. ColoPA § 6-1-1311(1)(c).
- CCPA and CPRA grant enforcement authority to State Attorney General with a maximum fine of $7,500 per intentional violation. Cal. Civ. Code § 1798.155.
- VCDPA grants enforcement authority to State Attorney General with a maximum fine of $7,500 per violation. Va. Code Ann § 59.1-580(C).
Given all the similarities, one theme certainly emerges: it is increasingly important to know your company’s data and how it is processed, and to be able to tag and track it from cradle to grave and provide consumers their applicable rights, particular around sensitive personal data.
In addition, contracting with service providers is becoming increasingly proscriptive, as well as urgent. Like the CCPA/CPRA and VCDPA, the ColoPA requires companies to implement data processing agreements between Controllers and Processors that provide instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. Processing agreements must also require the processor to: (1) ensure persons processing data are subject to a duty of confidentiality, (2) delete or return all personal data (at Controllers option) at the end or provision of services, and (3) make available to the Controller all information in its possession necessary to demonstrate compliance with the obligations of the ColoPA. If an appropriate agreement is not in place, disclosing personal information to the third party may constitute “the sale of personal information” and the third party may qualify as a Controller.
For businesses in the process of remediating contracts in light of the new EU Standard Contractual Clauses that have just come out, consideration should be given to whether to start incorporating the ColoPA contracting requirements, as well as those of Virginia and California. A GDPR Data Processing Agreement (DPA), in addition to the new Standard Contract Clauses, largely covers the US state law privacy requirements; but there are additional terms (like specifying the proscription on any further selling or sharing of data and including the certification requirement) that businesses may want to consider including.
Finally, in the Governor’s signing statement, he called on the legislature to keep working on the law prior to its July 1, 2023 effective date, so companies should continue to keep a close eye on Colorado, as well as on the other US states that are closing in on their own enhanced privacy laws, particularly in New York.