The latest in an emerging patchwork of state privacy legislation in the United States, Colorado recently passed and signed into law the Colorado Privacy Act (CPA). It is mostly an iteration of Virginia’s Consumer Data Protection Act (CDPA), also passed this year, but it has a few of its own unique features. It also takes a number of cues from the California Consumer Privacy Act (CCPA), America’s first comprehensive data privacy law.
The CPA goes into effect on July 1, 2023, but it’s not too early for businesses to start evaluating the new law and how it will affect their data privacy compliance strategy.
Like the CDPA, the CPA borrows some of its terminology from the European Union’s General Data Protection Regulation (GDPR). Most of the law’s obligations fall on “controllers,” i.e., persons or entities that determine “the purposes for and means of processing personal data.” A controller must comply with the CPA if it (1) conducts business in Colorado or produces commercial products or services intentionally targeted to state residents and (2) meets one of the following criteria:
This second threshold is unique to the CPA and has the potential to apply to more businesses than either the CCPA or CDPA. “Sale” is defined as any exchange of personal data for monetary or other valuable consideration. The “or other valuable consideration” component is taken from the CCPA, and as with the CCPA, it is vague and open to interpretation. However, this section of the law strongly suggests that a discount on products or services is considered valuable consideration, possibly qualifying many disclosures of personal data as sales. For example, if a business uses a free cloud-based software and enters consumers personal data into that program, that could be considered a discount; unless the exchange of data falls under one of the exceptions to the definition of selling, it may be a sale of personal data.
The CPA protects “consumers,” defined as Colorado residents acting in an individual or household capacity. It specifically does not include people acting in a commercial or employment context, so businesses do not have to extend CPA protections to their employees or B2B contacts. This is different from the CCPA, which currently has only a temporary exemption for employment and B2B data.
The CPA applies to consumers’ “personal data,” defined as information that is “linked or linkable to an identified or identifiable individual.” This definition is comparable to language found in other privacy legislation and can encompass a wide variety of data. For this reason, the types of information specifically identified as not being personal data are very important. For example, publicly available information—information made available from government records or which the consumer has made widely available—is not considered personal data.
There are also numerous exemptions for entities and data that are already covered by federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA).
Controllers have several duties under the CPA. These duties are:
In addition to this list of duties, controllers must also respond to consumer requests with regard to their privacy rights.
The CPA creates several data privacy rights for consumers, all of which are familiar from the CDPA and CCPA.
As with the CDPA, any processing of “sensitive data” may only be done with the consumer’s prior consent. Sensitive data is:
A “child” is anyone under the age of 13. This is one area where the CPA and CDPA are more restrictive than the CCPA. Under the CCPA, a business must have consent before selling the personal information of consumers under the age of 16; the CPA requires a parent or guardian’s consent before any processing of a child’s personal data.
Consent must be “freely given, specific, informed, and unambiguous.” Among other things, this means that such consent cannot be buried in a larger set of terms and conditions. Consent also must be given by an affirmative act, so it probably cannot take the form of “By continuing to use this website you consent to the following…” (or some version of that). Nor can valid consent be obtained by “dark patterns,” user interfaces designed to subvert or impair user autonomy, decision making, or choice. A common example of a dark pattern is to make a button you want the user to click (“Yes, I agree”) much larger and more colorful than the button you don’t want them to click (“No, I don’t agree”).
Before conducting any processing that presents a “heightened risk of harm” to consumers, a controller must first complete a data protection assessment. A data protection assessment is a written document that weighs the benefits of the processing against any risks to the rights of the consumer, taking into account potential safeguards and other factors. Processing that presents a heightened risk of harm includes:
A controller’s data protection assessments must be made available to the Colorado Attorney General upon request, though they are confidential and exempt from public inspection.
Consumers may appeal a controller’s refusal to take action on a privacy request. This appeal is to the controller itself, not to a third party or governing body. For example, if a controller declines to delete some or all of a consumer’s personal data, citing one of the CPA’s exceptions, the consumer may contact the controller again and appeal that decision. This means that CPA compliance will require the establishment of an internal appeals process. There is no detailed guidance yet as to how such a process must work, but at a minimum it should involve forwarding the appeal to someone other than the person who handled the initial privacy request.
A unique characteristic of the CPA is that it may be enforced not only by the Colorado Attorney General, but by local district attorneys as well. One possible outcome of this decentralization is that enforcement may be more frequent than it is in other states. The statute does not set out its own structure for fines, instead stating that a violation of the CPA is a deceptive trade practice, which is punishable under state law by up to $20,000 per violation.
Before an enforcement action can commence, organizations must be given 60 days to cure any alleged violations. However, this mandatory cure period will only be in effect for the first 18 months, with a sunset date of January 1, 2025.
Like the CDPA, the CPA does not create a private right of action for consumers.
The Colorado Privacy Act is part of a growing trend of state privacy laws that can have a great impact on how businesses operate. Trying to navigate this complicated web of rules will only get more complicated. TrueVault Polaris makes privacy compliance simpler and more cost effective. By automating time-consuming tasks and providing a guided software experience, TrueVault Polaris can help your business quickly get compliant and stay that way. Contact our team today to learn more.