On July 7, 2021, Colorado enacted a new privacy law, titled the Colorado Privacy Act (CPA). The CPA is the third state-level omnibus data privacy law, similar in scope to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), enacted in 2018 and earlier this year, respectively. The CPA will come into force on July 1, 2023.
Like the VCDPA, the CPA uses concepts and terminology from the EU’s General Data Protection Regulation (GDPR). This includes using the term “personal data” for personal information and “processing” for the collection, alteration, storage, use, or disposal of personal information. The CPA also adopts GDPR’s conceptualization of data processors and data controllers. Under the CPA, a data processor is a natural or legal person that processes personal data on behalf of another person, and a data controller is a person that, alone or jointly with others, determines the purposes for and means of processing personal data. These definitions are similar to the definitions of these terms under the GDPR and the VCDPA.
Although the CPA is most similar in structure and obligations to the VCDPA, and also shares a number of requirements with the California Privacy Rights Act (CPRA), which amended the CCPA, the CPA differs from both laws in some of its specifics. For example, the CPA does not exempt non-profit entities and does not apply to employee or business-to-business data. Therefore, while it is clear that states are looking to one another for models of privacy legislation, the various differences warrant independent scrutiny of each state law.
The CPA was enacted against a backdrop of multiple privacy bills progressing through state legislatures. To date, over 25 state legislatures have introduced privacy regulation bills similar to the CPA; with the most recent being Ohio, where a bill was introduced two weeks ago. In addition to Ohio, CPA-like bills are currently under consideration in the Massachusetts, New York, North Carolina, and Pennsylvania legislatures.
The CPA applies to any company that (i) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and (ii) either (a) controls or processes the personal data of 100,000 Colorado residents per year or (b) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.
The CPA exempts from its application data subject to certain other laws, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act. The CPA also exempts employment records and certain data held by public utilities, state government, and public institutions of higher education. Notably, non-profit entities are not exempt from the requirements of the CPA.
The CPA establishes a set of consumer data rights similar to those established by the VCDPA and CCPA: a right of access, a right of correction, a right of deletion, a right of data portability, and the right to opt out of targeted advertising, sales of personal information, and profiling decisions that produce legal or similar effects on a consumer. Data controllers must respond to requests within 45 days and establish an appeals process.
Data controllers are required to provide consumers with an accessible, clear, and meaningful privacy notice that describes the types of data collected, how it is used, which data is shared with third parties, and which third parties receive the data. The privacy notice must also state how and where consumer can exercise their rights. Unlike with VCDPA, the re-identification of de-identified data is not required when responding to requests, and data subject rights do not have to be fulfilled with regard to de-identified data.
Similar to the VCDPA, data controllers are prohibited from processing “sensitive data” absent a consumer’s opt-in consent. Sensitive data is defined as data revealing racial/ethnic origin, religious beliefs, a physical or mental health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data that is processed for individual identification purposes, and any personal data from a known child. Consent can be given via a “clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement,” such as an electronic statement.
The CPA creates requirements for relationships between data controllers and data processors. Data controllers must have contracts in place with each data processor, addressing, among other terms, audits of the processor, and the confidentiality and technical security requirements of the data that is processed. Notably, a data processor must provide a data controller an opportunity to object every time that a data processor engages a sub-processor for the data.
Similar to VCDPA, the CPA creates a requirement that data controllers conduct a data protection assessment (DPA) where the processing of data “presents a heightened risk of harm to a consumer.” Such a risk is presented when, for example, processing creates a risk of unfair or deceptive treatment, disparate impact, financial or physical injury, intrusion upon seclusion or other offensive privacy invasions, or other “substantial injury” to consumers. DPAs are also required where a business intends to sell personal information or process sensitive data (discussed above). Also like the VCDPA, DPAs must be provided to the Colorado Attorney General upon request. DPAs received by the Attorney General are confidential and exempt from Colorado’s open records act or any rules regarding waiver of privilege.
The act expressly disclaims a private right of action and is enforced by the Colorado Attorney General and by Colorado district attorneys. The Colorado Attorney General is also empowered to promulgate implementing regulations, although the law does not set a deadline for such regulations. A violation of the CPA constitutes a deceptive trade practice under the Colorado Consumer Protection Act, subject to civil penalties of up to $2,000 per violation for each consumer and transaction, with a maximum penalty of $500,000 for related violations.