Colorado passes comprehensive consumer privacy legislation

On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, making Colorado the third U.S. state to implement a comprehensive privacy law.  The CPA will take effect on July 1, 2023, six months after the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”) take effect.

The CPA’s applicability to businesses will be subject to revenue thresholds. Specifically, the CPA will apply to any “controller” or “processor” that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted at residents of Colorado, and which either: (a) controls or processes the personal data of at least 100,000 Colorado residents in a year; or (b) derives revenue or any discounts from the “sale” of personal data and controls or processes the personal data of at least 25,000 Colorado residents.  Unlike the California Consumer Privacy Act (“CCPA”), which has been in effect since January 2020, and the CPRA, the CPA does not have any revenue thresholds, meaning that a business will not become subject to the law merely by generating a certain amount of revenue.  The CPA is more similar to the VCDPA than it is to either the CCPA or CPRA, but the laws do share several commonalities. 

Key provisions include:
  • Consumer rights – The CPA will give Colorado residents the right to access their personal data, obtain a portable copy of their personal data, request deletion of their personal data, opt out of the “sale” of their personal data, opt out of “targeted advertising” and be guaranteed to not be discriminated against for exercising any of the foregoing rights. 
  • Deadline to respond to requests – Businesses must either honor or decline these requests within 45 days of receipt (extendable to 90 days under certain circumstances), which is in line with California and Virginia law (except that California law requires sale opt-outs to be honored within 15 business days). 
  • Appeals right – Like the VCDPA, the CPA requires controllers to establish a process for a consumer to appeal the controller’s refusal to take action on a request.  A controller must also notify the consumer of the ability to lodge a complaint with the Attorney General if the consumer has concerns about the result of the appeal.
  • Sale opt-out – The CPA defines “sale” as the exchange of personal data for monetary or other valuable consideration, but excludes the sharing of personal data with service providers or where a consumer uses the business to intentionally interact with a third party, among others.  This definition mirrors the California framework (which allows for non-monetary consideration to trigger a sale, unlike the VCDPA’s narrower construction).
  • Sensitive Data The CPA will require businesses to obtain prior opt-in consent to process “sensitive data” (defined to include data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic data, biometric data, or personal data from a known child). Unlike the VCDPA, the CPA does not treat precise geolocation as sensitive data.  Consent must be freely given, specific, informed and unambiguous.
  • Data protection assessments – Data protection assessments are required before a controller can conduct any processing that presents a heightened risk of harm to a consumer, such as processing sensitive data, processing for targeted advertising, selling personal data, or profiling if there is a reasonably foreseeable risk of financial or physical injury to consumers. Data protection assessments must identify and weigh the benefits of the processing to the controller, the consumer and other stakeholders against the risks to the consumer associated with the processing (accounting for any mitigation steps used).  The controller must provide a copy of data protection assessments to the Attorney General upon request. 
  • Fair information processing and similar duties – Under the CPA, controllers will have several duties imposed on their data processing.  For instance, controllers will be subject to a new duty of purpose specification, wherein they must specify the express purposes for which personal data will be collected and processed.  Controllers will also be subject to a new duty of data minimization, which requires controllers’ data collection to be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data is processed.  Controllers will also be subject to a new duty to avoid secondary uses of personal data, absent express consent.  In addition, controllers will be subject to a new duty of care, meaning that they must implement and maintain appropriate security measures, based on the volume, scope and nature of the personal data processed.
Employment Data and B2B Data is Not Covered

The CPA will not apply to personal data collected in the employment context or the B2B/commercial context.  This is in line with the VCDPA and the CCPA (already in effect).  However, under the text of the CPRA statute, the CCPA’s current exemptions for employment data and B2B data are scheduled to sunset after December 31, 2022.  It remains unclear whether the California legislature will pass an amendment to extend the sunset date or make permanent the temporary CCPA exemption for employee and B2B personal data.

Regulatory Enforcement, No Private Right of Action

The CPA will not have a private right of action.  Instead, it will only be enforceable by the Colorado Attorney General. Moreover, through the end of 2024, the CPA will provide businesses with a 60-day right to cure alleged non-compliance before the Attorney General may pursue enforcement actions, including fines of up to $2,000 per violation (capped at $500,000 for all related violations).

Exemptions

The CPA will exempt personal data that is already subject to other laws like Gramm-Leach-Bliley or FERPA, in line with California and Virginia.  Health care controllers are exempted from many obligations, but the CPA does not provide a blanket exemption for HIPAA covered entities.

Take-Aways and Action Items
  • The CPA signals the continuation of a growing trend of state governments enacting comprehensive privacy laws in the absence of a single federal law.  Though no two state laws are the same, it is possible to craft a U.S. privacy compliance program in a streamlined manner that is principles-based and will be adaptable if (or more likely, when) more states follow suit. 
  • In order to prepare for 2023 and beyond, businesses should conduct a privacy compliance assessment, mapping the privacy controls to the requirements in the different state laws and to a principles-based privacy framework, and review (or undertake) data mapping exercises, being sure to reflect applicable data handling practices that capture the key definitions under these new laws (e.g. sensitive data), categories of personal data, sources of data, use cases, and recipients of data.  These steps will help to position businesses to comply with the CPA, as well as to adapt to any potential future state laws that follow next.