This article is co-authored by summer associate Mark Appleton.
Colorado Governor Jared Polis recently signed into law the Colorado Privacy Act (“CPA”), set to go into effect on July 1, 2023. This makes Colorado the third U.S. state after California and Virginia to enact a comprehensive data privacy law. Modeled after Virginia’s law, the CPA grants consumers five significant rights over how businesses process their “personal data”—defined as information that is linked or reasonably linkable to an identified or identifiable individual—including the rights to:
- opt out of having one’s personal data processed for purposes of targeted advertising, sale of their personal data, or profiling efforts,
- access and confirm what personal data businesses are collecting on them,
- correct any inaccuracies in their personal data,
- delete their personal data, and
- portability that allows consumers to obtain personal data businesses have collected on them in a readily usable and transferrable format.
Like Virginia and California, Colorado does not consider employment records or publicly available or de-identified information to be personal data. “Consumers” are defined as Colorado residents acting in an individual or household (instead of a commercial or employment) context. To secure these rights, the CPA imposes several duties on entities doing business in Colorado including to:
- provide transparent and meaningful privacy notices to consumers and information on how and where they may exercise their rights,
- specify the express purposes for which consumers’ personal data are collected and processed,
- minimize data collection only to these specified purposes,
- avoid secondary use of any consumer data collected,
- care for consumer data by taking reasonable measures to secure it during storage and use from unauthorized acquisition,
- not process “sensitive data,” defined as data revealing racial or ethnic origin, religions belief, health conditions, sexual orientation, citizenship, or genetic or biometric data unique to an individual, without a consumer’s explicit consent, and
- avoid unlawful discrimination by not processing data in violation of state or federal laws prohibiting discrimination against consumers.
Colorado, like Virginia, will also require businesses to conduct data protection assessments for any data “processing that presents a heightened risk of harm to consumers,” and to develop procedures to receive and respond to consumer requests.
The CPA’s scope mirrors Virginia’s state privacy law, applying only to “controllers”—any person that alone or jointly with others determines the purposes for and means of processing personal data—conducting business in Colorado that meet at least one of two thresholds. The business must either control or process the personal data of at least:
- 100,000 consumers during a calendar year, and / or
- 25,000 consumers while deriving revenue or receiving discounts from selling personal data.
This contrasts with California, which instead applies more expansively to any business with annual gross revenues of $25,000,000; or, buys, sells or shares the personal information of 100,000 or more consumers or households; or, that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information. The CPA also explicitly excludes from its purview several data types subject to federal laws and regulations, such as consumer financial information subject to the Gramm-Leach-Bliley Act, and health information governed by the Health Insurance Portability and Accountability Act, or HIPAA, among others.
Colorado’s new law, like Virginia’s, does not provide for a private right of action for violations, whereas California does in certain instances related to personal information security breaches. However, one of the CPA’s most notable differences from both California and Virginia’s laws is that it expands enforcement power to both the state attorney general’s office and county district attorneys. This contrasts with Virginia and California’s privacy laws, which leave enforcement solely to these states’ attorneys general and the newly created California Privacy Protection Agency. Colorado’s Attorney General is also required to adopt rules detailing technical specifications for one or more universal opt out mechanisms controllers must provide to Colorado consumers by July 1, 2023 when the CPA goes into effect.
California, Virginia, and now Colorado’s data privacy laws are likely the first of many that portend significant changes for many businesses. Although each law is different, and further guidance from regulatory authorities will clarify precisely what changes are required, businesses can and should begin taking steps to prepare for the more complicated compliance landscape implicated by the appearance of the CPA. Depending on the current state of the company’s preparedness, next steps may include:
- Identifying the full range of a business’s data collection activities for a nexus to Colorado consumers, and mapping data flows throughout the corporation and to third parties;
- Reviewing and updating (as necessary) existing data protection and privacy policies to ensure proper notifications to consumers of the rights provided them under the CPA, with an eye to maximizing general applicability across state requirements;
- Reviewing consumer interfaces to confirm Colorado consumers have the ability to opt-out of collection in conformity with the CPA;
- Providing the technical mechanism for Colorado consumers to exercise rights afforded them under the applicable state laws, which again will ideally be designed for general applicability across jurisdictions to the greatest degree possible; and,
- Ensure policies and procedures are in place for timely responses to consumers, as required by the respective laws.