On July 8, Governor Jared Polis of Colorado signed a bipartisan bill into law that enhances consumers’ data privacy rights. Colorado is the third state to enact comprehensive data privacy legislation, following California and Virginia, with the passage of the Colorado Privacy Act (CPA).
Colorado’s new legislation recognizes that consumers are increasingly reliant on sharing their data to facilitate routine transactions. Sharing data can be useful to consumers and businesses, but such frequent use also accompanies risks. This is the twofold issue the state addresses with its new law: (1) encouraging the use and development of technologies that incorporate consumer data and (2) while ensuring the security of personal data through enhanced rules and enforcement mechanisms. This framework also guides how to review the legislation.
Looking at the Law
The CPA guarantees consumers certain rights, including:
At the same time, the law mandates that businesses take certain measures:
- safeguard personal data
- provide clear, understandable, and transparent information to consumers about how their personal data is used
- strengthen compliance and accountability by requiring data protection assessments of the collection and use of personal data, and
- grant access to the Attorney General and District Attorneys for evaluation, enforcement, and prevention purposes.
The CPA defines controller as one who:
a) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
b) satisfies one or both of the following provisions:
- controls or processes the personal data of 100,000 consumers or more during a calendar year; or
- derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Classification is Key
The law distinguishes between processors and controllers.
|More limited role.
||More active in data transfer process and the legislation.
|Process personal data on behalf of controllers.
||Can work alone or with other controllers.
|Required to abide by controller's instructions.
||Determine the purposes for and methods by which processing of personal data can occur.
|Assist the controller in completing its obligations.
||Must respond to consumer requests.
|Required to ensure the processor's subcontractors are bound by a duty of confidentiality. If the subcontractor is unwilling, the processor should not contract with it.
- Purpose specification
- Data minimization
- To avoid secondary use
- Avoid unlawful discrimination
- Regarding sensitive data
The CPA is similar to the European Union’s General Data Protection Regulation and California’s and Virginia’s privacy law models. Considering that the California Consumer Privacy Act (CCPA) was the first data privacy law within the United States, it is helpful to compare it with Colorado’s law.
|CALIFORNIA CONSUMER PRIVACY ACT
||COLORADO PRIVACY ACT
- Text of CCPA excludes non-profits; however, there can be overlap if a non-profit has a for-profit subsidiary or joint venture, for example.
- Applies to for-profit businesses that meet any of the following:
- a gross annual revenue in excess of $25 million;
- buy, receive, sell personal information of 50,000 or more California residents, households, or devices; or
- derive 50% or more of their annual revenue from selling California residents’ personal information.
- No specific carve-out for controllers of non-profit entities based on the definition of controller.
- No revenue thresholds included; however, the CPA applies:
- to businesses that process personal information of 25,000 consumers and receive revenue or other valuable consideration for the sale of personal data; and
- even if a business derives less than 50% of its gross annual revenue from sales of personal data.
- A California resident may ask businesses subject to the CCPA:
- to disclose the personal information they have about the resident,
- what they do with that information,
- to delete that information,
- to not sell that information,
- Notification rights, including:
- the right to be notified before or after collection of your personal information,
- to be notified of the types of information collected, and
- the purposes and uses of collection.
- Right of access
- Right of correction
- Right of deletion
- Right to receive data and share it in a technical format
- Right to opt out
- Right to appeal
- Includes a private right of action.
- Enforcement via the Attorney General of California and the California Department of Justice.
- No private right of action.
- Enforcement via the Attorney General, District Attorneys of Colorado.
- No consumer right of appeal.
- Consumers have a right to appeal if a business denies the consumer a right granted under the CPA.
The CPA does not take effect until July 1, 2023. Until then, it is wise for businesses to prepare and adjust their policies to ensure they will be compliant. Once effective, businesses will be cited for non-compliance and have 60 days to cure deficiencies until January 1, 2025, at which point companies will no longer receive a grace period of 60 days.
The Attorney General takes enforcement measures, which can include civil penalties of $20,000 per violation with a maximum penalty of $500,000 for one related event. A violation will be considered a deceptive trade practice.