Colorado is set to become the third U.S. state to pass comprehensive data privacy legislation. Following a number of revisions, Senate Bill 190, also referred to as the Colorado Privacy Act (“CPA”), passed the Colorado House and Senate. The bill now awaits approval from Governor Jared Polis. If the bill is not vetoed, the law will establish a framework for controlling and processing personal data in Colorado that parallels legislation like the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), as well as the European Union’s General Data Protection Regulation (“GDPR”). Notably, the Act does not create a private right of action for consumers. The law would take effect on July 1, 2023. This article includes a chart comparing certain provisions of the CPA to the CCPA (as amended by the CPRA), the GDPR, and the VCDPA, as well as a breakdown of key provisions.
The CPA “ [a]pplies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either: [x] [c]ontrol or process personal data of more than 100,000 consumers per calendar year; or [y] [d]erive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and  [d]oes not apply to personal data governed by listed state and federal laws, listed activities, and employment records.” The CPA does not contain the gross revenue threshold seen in the CCPA.
Similar to the VCDPA, under the CPA, a “consumer” is “an individual who is a Colorado resident acting only in an individual or household context.” The CPA’s definition of consumer does not include “an individual acting in a commercial or employment context, a job applicant, or as a beneficiary of someone acting in an employment context.”
Much like the GDPR and the VCDPA, the CPA allocates responsibilities based on an organization’s role as a controller or processor. Although the CPA places most responsibilities on controllers, it does place an affirmative duty on processors to aid controllers in their compliance efforts. This duty includes assisting controllers in permitting consumers to exercise their rights under the CPA, permitting audits by the controller and conducting data protection impact assessments. Broadly speaking, a “controller” determines the reasons for which personal data is processed and the manner in which that personal data processing is conducted. Meanwhile, a “processor,” as the name suggests, processes that personal data solely on behalf of the controller.
The CPA requires controllers and processors to enter into a written agreement regarding the processor’s handling of personal data collected by the controller. Certain provisions must be included within this contract including: (1) identification of the personal data subject to processing and the purpose and duration of processing, (2) a prohibition on the ability of the processor to engage a subcontractor prior to the controller being given an opportunity to object, and (3) a requirement that the processor flow down CPA compliance obligations to all subcontractors via written contract.
The CPA creates an array of individual rights which parallel rights created by both the GDPR, CCPA, and VCDPA. Under the CPA, a consumer has the right to (1) opt out of any processing of their personal data for targeted advertising, sale, or profiling, (2) access and obtain a portable copy of their personal data, (3) make corrections to their personal data, and (4) delete their personal data. Much like the VCDPA, the CPA moves the processing of “sensitive” personal data to an opt-in regime which requires a consumer’s explicit permission, as demonstrated by a clear, affirmative act signifying the consumer’s freely given, specific, informed, and unambiguous consent. Similar to the recently amended CCPA regulations, the CPA prohibits the use of “dark patterns” in obtaining this consent. The CPA defines sensitive data as “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status… genetic or biometric data that may be processed for the purpose of uniquely identifying an individual… or personal data from a known child.”
A consumer’s request must be verifiable, and the CPA permits controllers to deny any request that cannot be authenticated. Controllers cannot charge a fee for a consumer’s first request. However, beginning with the second request made by a consumer in a 12-month period, controllers are permitted to charge. Additionally, aside from certain limited opportunities for extension, controllers are required to respond to consumer requests within 45 days of receipt of the request. Much like the VCDPA, under the CPA, consumers must be afforded the opportunity to appeal any denials of requests.
The CPA also creates obligations related to the processing of de-identified data. Under the CPA, a controller in possession of de-identified data is required to (1) “take reasonable measures to ensure that the data cannot be associated with an individual,” (2) “publicly commit to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data,” and (3) contractually obligate any recipients of the de-identified data to comply with the requirements of the CPA.
The CPA defines “sale” as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” While this definition’s use of “valuable consideration” expands “sale” beyond purely monetary transactions, making it more like the definition in the CCPA than the VCDPA, the CPA includes several express exclusions from its definition of sale, including (1) “[t]he disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,” (2) “[t]he disclosure or transfer of personal data to an affiliate of the controller,” and (3) “[t]he disclosure of personal data: (a) [t]hat a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or (b) [i]ntentionally made available by a consumer to the general public via a channel of mass media.”
Like the VCDPA, the CPA does not create a separate enforcement agency and does not establish private right of action for the consumer. Rather, enforcement of the CPA sits with Colorado’s Attorney General and district attorneys. Specifically, prior to initiating an enforcement action under the CPA, the controller or processor will be provided a 60-day cure period to rectify noncompliance. This cure period will only be provided until January 1, 2025. If the controller or processor continues to violate the CPA after the 60-day cure period, the noncompliance is considered a deceptive trade practice, and the Attorney General or a district attorney is authorized by the CPA to initiate action and seek damages of up to $20,000 per violation for up to a total of $500,000 for a related series of violations, notably higher than the per violation penalties under the CCPA and VCDPA.
The Colorado Legislature passed the CPA on June 8, 2021. The act will take effect beginning July 1, 2023, unless Governor Polis vetoes the bill within 10 days of its transmission to his office.
The CPA melds obligations from a variety of data privacy legislation, and compliance takes time. Organizations should determine applicability as soon as feasible. Organizations within the CPA’s scope should allocate costs and time to implement any necessary changes to ensure compliance by July 1, 2023. For example, covered organizations should (1) create and/or update a comprehensive data inventory that provides insight into both the types of data involved and nature of each processing activity, (2) take steps to segregate sensitive data, and (3) implement a framework for managing consents and conducting data protection impact assessments. In developing any compliance program for the CPA, businesses should also keep in mind the potential impact of comprehensive data privacy legislation pending in states such as Massachusetts and North Carolina.