On July 7, 2021, Governor Jared Polis signed into law the Colorado Privacy Act (CPA), making Colorado the most recent state to enact comprehensive privacy legislation. While the CPA does not take effect until July 1, 2023, it contains robust provisions that businesses will need some time to prepare for.
The CPA draws many principles from and has a similar framework to the California Consumer Privacy Act (CCPA), California Privacy Rights and Enforcement Act (CPRA), and Virginia Consumer Protection Data Act (VCDPA), but there are some important differences in the CPA.
Similar to the CPRA and the VCDPA, the CPA gives consumers the right to access and control certain types of personal data that businesses collect and maintain by:
- affording consumers certain rights with regard to their data;
- imposing affirmative duties upon companies that hold personal data; and
- empowering the Colorado Attorney General and local District Attorneys to perform evaluations, impose penalties, and prevent future violations.
The CPA affords consumers in Colorado five specific data rights:
- to opt out of the processing of personal data for targeted advertising, sale of personal data, or “profiling” in furtherance of decisions that produce legal or similarly significant effects for the consumer. (“Profiling” is defined as “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”)
- to access to their personal data and to confirm whether a controller is processing their personal data;
- to correction of inaccuracies in the consumer’s personal data;
- to deletion of personal data; and
- to data portability to obtain their personal data in a portable and usable format.
Businesses must respond to consumer requests asserting these rights within 45 days.
The CPA also contains a number of affirmative duties on businesses:
to provide a “reasonably accessible, clear, and meaningful privacy notice” notifying consumers of the categories collected and shared with third parties, purposes for processing, means through which consumers can exercise their rights, disclosures of sale or processing to third parties for targeted advertising (and how consumers can opt out);
- purpose specification
to provide the express purposes for collecting and processing personal data;
- data minimization
to limit the collection of personal data to that which is “adequate, relevant and limited to what is reasonably necessary in relation to the specified purpose”;
- limits on secondary use
to not process personal data for purposes that are not “reasonably necessary or compatible with the specific purpose” for its collection and processing;
to “take reasonable measures to secure personal data during both storage and use from unauthorized acquisition”;
to “not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers”; and
- protecting sensitive data
to refrain from processing sensitive data without first obtaining consent.
Covered businesses also must conduct data protection assessments for processing that involves heightened risk activities, such as targeted advertising, profiling, selling data, and processing sensitive data. They also must comply with requests by the Colorado Attorney General to give access to the assessments.
The Colorado Attorney General and state district attorneys share the power of enforcement, and the CPA does not provide for a private right of action.
Businesses covered by the law
The CPA does not apply to every business. It only applies to entities that:
- have contacts with Colorado by:
- conducting business in Colorado;
- producing products or services intentionally targeted to residents of Colorado;
- delivering products or services intentionally targeted to residents of Colorado; and:
- reach a specified level of consumer data control or processing:
(a) control or processing of data of 100,000 consumers or more in the calendar year; or
(b) profiting from the sale of personal data and processes or controls the data of 25,000 consumers or more.
Exemptions and Exceptions
While the CPA’s enumerated consumer rights are broad, there are numerous types of data excluded from its scope, and several exemptions. Primarily, there is an exemption for financial institutions subject to the Gramm-Leach-Bliley Act and for Colorado’s higher education institutions. The CPA also exempts “data maintained for employment purposes.” The CPA will not cover information subject to FCRA, COPPA, and FERPA. Additionally, the CPA will not cover de-identified data that cannot be linked to an identifiable person and exempts HIPAA-regulated data and data under covered entities and health care facilities and providers.
The definition of “consumers” in the CPA is limited to individuals who are Colorado residents “acting in an individual or household context” and similar to the approach of the CDPA, the definition does not include “an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”
The CPA has a relatively broad definition of “sale,” but carves out a number of types of data disclosures within the definition to limit the scope that are similar to those of the CDPA. The CPA defines “sale” as “the exchange of personal data for monetary or other valuable consideration.” These “sales” do not include disclosure of personal data to a processor that processes data for the controller, the disclosure to a third party for service requested by the consumer, disclosure to an affiliate, disclosure to a third party that proposed or actual transaction where the party assumes control of the controller’s assets, a disclosure requested by the consumer to a third party, or disclosure of data that a consumer intentionally made available to the general public via a channel of mass media.
Other Notable Differences between the CPA, VCDPA, CCPA and CPRA
- The CPA, like the VCDPA, uses controller/processor terminology similar to the GDPR.
- The opt-out rights of the consumer in the CPA are very similar to those in the VCDPA
- The CPA, like the CCPA, defines “sale” broadly to include those transactions that are for value, while the VCDPA limits sales to those for monetary consideration.
- While the CCPA and the VCDPA both provide an exemption for non-profit organizations, the CPA does not.
- The CPA also gives controllers the right to object to any subprocessors, while the VCDPA and CCPA do not.
The Colorado, California and Virginia consumer privacy laws also have different definitions for “sensitive information” and how businesses must treat that data. Each requires businesses that collect sensitive data to first obtain consumer consent. However, the CPA provides a stricter definition of consent, requiring consent to be “freely given, specific, informed and unambiguous agreement” which does not include general or broad terms, “hovering over, muting, pausing, or closing a given piece of content,” or “agreement obtained through dark patterns” (although “dark patterns” is not defined).
Changes May Be Coming
There may be some changes made to the CPA before it becomes effective in 2023. Governor Jared Polis noted that the Act needs clean-up legislation in the next year and still has “several issues outstanding,” so watch this space for future developments.
*Many thanks to summer associate, Dania Keller, for providing us with the underlying research for this post.