Overview of the Recently Passed Colorado Privacy Act

Overview of the Recently Passed Colorado Privacy Act

This summer, Colorado became the third state to pass a comprehensive privacy law.^[1] On July 7, 2021, Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, with it set to take effect July 1, 2023.^[2] Colorado now follows in the footsteps of both California and Virginia in enacting a comprehensive privacy law in order to protect state residents’ personal data.^[3] Businesses in Colorado now have until July 1, 2023 to come into compliance with the CPA.^[4] The provisions in the CPA are not particularly groundbreaking, but the CPA demonstrates the growing trend of states enacting privacy laws.^[5]

Who is Covered by the Act?

The CPA is intended to protect the personal data of Colorado consumers, who are residents “acting in an individual or household context”.^[6] The CPA requires businesses to meet certain requirements in their handling of consumer’s personal data, which is “information that is linked or reasonably linkable to an identified or identifiable individual.”^[7] “It does not protect employment data, de-identified, or publicly available data.”^[8] The Colorado Privacy Act defines a “controller” of personal data as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data,” and it defines a “processor” as “a person that processes personal data on behalf of a controller.”^[9] Thus, the CPA covers any legal entity who controls and processes data and “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to the residents of Colorado,” and at least “controls or processes the personal data” of 100,000 or more consumers in a year or “derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of” at least 25,000 consumers.^[10]

What Does the Act Entail?

The provisions of the CPA that have the most direct effect on Coloradans can be divided into two parts: (1) the rights the Act grants to Colorado consumers; and (2) the obligations the Act places on businesses.

(1) Under the CPA, Colorado consumers are given five rights over their personal data:

•   The Right to Opt-Out: consumers have “the right to opt out of the processing of personal data concerning the consumer for purposes of: targeted advertising; the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”^[11]

•   The Right to Access: consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”^[12]

•   The Right to Correction: consumers have the right to correct inaccuracies in their personal data.^[13]

•   The Right to Delete: consumers have “the right to delete personal data concerning the consumer.”^[14]

•   The Right Data Portability: consumers have a right to obtain their personal data in a portable and ready to use format “that allows the consumer to transmit their data to another entity without hinderance.”^[15]

(2) Under the CPA, data controllers and processers that fall under the scope of the act have the following obligations when it comes to consumer’s personal data:

•   Duty of Transparency: the controller must “provide consumers with a reasonably accessible, clear, and meaningful privacy notice.”^[16]

•   Duty of Purpose Specification: a controller has to specify the expressed purpose for which the personal data is being collected and processed.^[17]

•   Duty of Data Minimization: “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” ^[18]

•   Duty to Avoid Secondary Use: a controller must first obtain the consumer’s consent before they process personal data for a purpose that is not reasonably necessary or compatible with the specific purpose for which the data was originally processed.^[19]

•   Duty of Care: a controller must take reasonable measures to prevent unauthorized access to personal data and to implement security practices that are appropriate for the nature of the data being processed and the nature of the business.^[20]

•   Duty to Avoid Unlawful Discrimination: personal data cannot be processed in violation of any state or federal laws that prohibit unlawful discrimination.^[21]

•   Duty Regarding Sensitive Data: before a controller processes a consumer’s sensitive data, they must first obtain the consumer’s consent.^[22] The Act defines sensitive data as “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data; or personal data from a known child.”^[23]

•   Data Processing Contracts: requires that processing by a processor must “be governed by a contract between the controller and the processor” that gives instructions to the processor on how to handle the data to which the processor is bound to follow.^[24]

Implications for Consumers

 Out of these provisions, the one that will probably have the most significant impact on Colorado residents is the “opt-out” provision. The CPA requires data controllers to “clearly and conspicuously” disclose to consumers if the controller is selling their personal data to third parties for purposes of targeted advertising.^[25] Controllers must provide opt-out information in any already required privacy notice and also in a readily accessible location outside the privacy notice as well.^[26] The exact look of the opt-out mechanism is yet to be determined and its requirements will be defined by the Colorado Attorney General some time before the law goes into effect.^[27] However, Coloradans can probably expect something similar to how Californian’s have their “opt-out” rights presented to them under the California Consumer Privacy Act (“CCPA”). The image below is an example taken from Snapchats’ privacy policies that shows how a business alerts California consumers to their data rights.^[28] From notices of this type, business will often proceed via a click-through link to inform California consumers of their rights and how to exercise them under the CCPA. These CCPA notices have been displayed on most large company’s websites for a few years now and can generally be found in the company’s privacy notice or in an app’s “settings” page. While the average of Coloradan might not pay much attention to the notices that the CPA will soon require, the more privacy conscious Colorado consumer will now have an avenue to take greater control over how their personal information is used. It can also be seen from the Snapchat example that companies will probably create a notice specifically addressed to Coloradans. Like the CCPA, the CPA only gives certain privacy protections to residents of that state. Most companies will only provide these new protections to the specific populations that the state law requires. Thus, right now a New Yorker would not be able to take advantage of all the options in a California directed privacy notice. That might change in the future when enough states have enacted comprehensive privacy laws that companies find it easier to just make a blanket change to their policies, but until then Colorado residents can expect to be in a privileged position among most other American citizens.

Enforcement

The CPA provides that the State Attorney General and District Attorneys have exclusive authority of enforcement.^[29] Additionally the Act does not provide any right of private action.^[30] Meaning if a Coloradan feels that their CPA rights have been violated, they cannot sue the business directly. However, if a business fails to respond or denies a request from a consumer in regard to the five rights afforded to them, the consumer has a right to appeal to the data controller.^[31] Furthermore, if the consumer has concerns about the result of the appeal, the controller is required to inform the consumer of their right to contact the Attorney General.^[32]

As far as penalties go, the Act provides no specific guidance on fines.^[33] A violation of the CPA is considered a deceptive trade practice, and thus the penalties are governed by the Colorado Protection Act, which stipulate fines up to $20,000 per violation.^[34] The Attorney General and District Attorneys also have the power to seek an injunction for violations of the CPA.^[35]

Key Differences between Colorado’s Privacy Act and the California and Virginia Privacy Laws

While the CPA largely tracks many aspects of the laws recently passed in California and Virginia, there are some differences that are worth noting. First, the CPA’s definition of which businesses fall under the Act is broader than the California Consumer Privacy Act. Under the California law, business that derive less than 50% of their revenue from selling California resident’s personal data are not covered by the Act and there is a $25,000,000 gross revenue minimum requirement to be covered.^[36] The CPA has no revenue requirement for businesses, and thus the CPA may apply to more small, regional businesses than the CCPA, leaving some business that fall below the CCPA revenue threshold to now have to comply with the CPA’s personal data standards.^[37] Second, Colorado follows Virginia in allowing consumers the right to appeal denied requests from data controllers, while the CCPA has no right to appeal provision.^[38] Third, under the CPA, when the Attorney General or District Attorneys provide notice to a data controller that they are initiating an action against them, the controller has 60 days to cure.^[39] This cure timeframe is noticeably longer than California and Virginia which only allow 30 days to cure after receiving notice for a violation. ^[40] Fourth, while Virginia and California provide a full exemption for entities that have to comply with the Health Insurance Portability and Accountability Act, Colorado does not give a full exemption to healthcare controls already subject to HIPPA’s personal data requirements.^[41] Instead, the CPA opts to list out a string of healthcare related exceptions instead of one blanket HIPPA exception.^[42] Fifth, unlike Virginia, the CPA does not grant an exemption to nonprofit organizations.^[43]

Whether these differences in the Colorado Privacy Act make a meaningful difference is yet to be seen, however, most companies that already fell under the privacy laws for California and Virginia will also have to now comply with the CPA. It is thus important that they adjust their data collection and processing policies and procedures accordingly before it goes into affect in a little less than two years from now. Smaller companies, that now for the first time are covered by a state privacy law, should start to prepare for an overhaul of their data collection and processing policies. Companies in that position may want to take an assesment of their current proceedures and consult with a privacy professional to help bring those procedures into compliance with the CPA.

Conclusion

The Colorado Privacy reflects a growing trend among states to protect consumer’s personal data. The law is not significantly groundbreaking in its provisions and is largely similar to California’s and Virginia’s privacy acts, with notable small deviations. ^[44] However, the CPA continues to add to the diverse web of privacy laws in the United States. Going forward, business operating in jurisdictions with comprehensives privacy laws will need to be increasingly cognizant of the complex array of statutory requirements that they must comply with. Additionally, new companies and existing companies developing new products or services will need to design said products and services with privacy regulations in mind from the start. Over the next decade other states will most certainly join Colorado in enacting consumer data protection laws.