In what has been an extremely busy and groundbreaking legislative session for data privacy, the Colorado Privacy Act has passed and is headed to Governor Polis’ desk for signature.
When does this law go into effect?
The CPA goes into effect on July 1, 2023.
Who does the CPA apply to?
The CPA applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted at Colorado residents and that either:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
There are also concepts of “third party” and “processor,” which will scope in companies that are traditionally seen as vendors. These types of organizations will see requirements come from their business clients and should be prepared to answer questions surrounding how they comply with data privacy obligations and how they assist their business clients with meeting their data privacy obligations.
What are the penalties and who enforces it?
The CPA will be enforced by the attorney general or district attorneys. There is not a private right of action, but violations do constitute a deceptive trade practice. Penalty amounts are up to $2,000 per violation with a maximum of $500,000 for related violations.
Similar to the CCPA, but more generous, the CPA also provides a 60-day Right to Cure for potential violations.
What are the Requirements?
The CPA provides Consumer Access Rights including:
- The right to receive a copy of the personal data the business is processing;
- The right to know what data is collected and the processing and sharing activities;
- The right to correct any inaccurate personal data;
- The right to delete;
- The right to opt-out of processing of personal data (for targeted advertising, profiling, and sale); and
- An appeals process for refusal of any rights.
These requests must be honored within 45 days, with a 45-day extension available depending on the complexity and number of requests. Further, businesses must honor requests free of charge except for a second or subsequent request within a 12-month period. The method for determining how much a business should charge is outlined in the regulation.
Businesses will also be required to make additional disclosures surrounding their personal data processing activities, including the purpose of processing, personal data types collected, and retention timeframes.
Further, taking into account the context of the processing, controllers and processors must implement appropriate technical and organizational measures to ensure a level of security is in place appropriate to the risk.
Also, controllers cannot conduct processing that presents a heightened risk of harm to a consumer without first conducting and documenting a data protection assessment on each of its processing activities that involve personal data acquired on or after the effective date of July 1, 2023.
Examples of processing that presents a heightened risk include:
- Processing personal data for purposes of targeted advertising or profiling if the profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial or physical injury to consumers; or
- Other substantial injury to consumers such as:
- Selling personal data; and
- Processing sensitive data.
These data protection assessments must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against potential risks to the rights of the consumer. The data protection assessments must be made available to the attorney general upon request.
Businesses are also required to ensure they operate from common privacy principles:
- Purpose specification;
- Data minimization;
- Avoid secondary use (aka purpose limitation); and
- Duty of care.
Also, consumers must consent to the collection of their sensitive personal data.
Some exemptions to the CPA include but are not limited to data collected and processed within the employment context and information collected, processed, sold, or disclosed pursuant to the GLBA, HIPAA, and FERPA.