Understanding the Colorado Privacy Act

In an era where personal data is increasingly valuable and susceptible to misuse, governments around the world are enacting comprehensive privacy laws to protect individuals’ rights and provide guidelines for data handling. One such initiative is the Colorado Privacy Act (“CPA”), officially known as Senate Bill 21-190 and adopted under the Code of Colorado Regulations as 4 C.C.R. 904-3, which aims to safeguard consumer privacy and regulate how organizations handle personal data within the state of Colorado. In this article, we will explore the key aspects and implications of the CPA.

Background

The Colorado Privacy Act was signed into law on July 7, 2021, making Colorado the third state in the United States, after California and Virginia, to pass comprehensive privacy legislation. The act aligns Colorado with the evolving landscape of data protection and establishes a framework for businesses to handle personal data responsibly. The CPA went into effect on July 1, 2023, with rulemaking and enforcement responsibility placed with the Attorney General’s office.

Key Provisions of the Colorado Privacy Act

1. Scope and Applicability: The CPA applies to organizations that conduct business in Colorado, collect personal data from Colorado residents, and either control or process the personal data of at least 100,000 consumers in a calendar year, or derive revenue from the sale of personal data and process or control the personal data of at least 25,000 consumers.
2. Consumer Rights: The act grants various rights to Colorado residents regarding their personal data. Individuals have the right to access their data, correct inaccuracies, delete their data, download and remove their data from a platform and transfer it to another, and opt out of the sale of their personal information. Additionally, consumers can opt out of targeted advertising, and profiling related to their personal data.
3. Controllers and Processors: Under the CPA, businesses are categorized as either controllers or processors of personal data. Controllers determine the purpose and means of processing personal data, such as a retailer like Amazon or Walmart, and decide how it will be used, while processors handle data on behalf of controllers such as a cloud services provider. Some entities may be considered both controllers and processors depending on their interaction and use of the data. Both controllers and processors have specific obligations and responsibilities outlined by the CPA, but naturally Controllers take the bulk of the responsibilities. These include specifying purposes for data processing, ensuring only necessary data is being processed, implementing reasonably data security practices, conduct data protection impact assessments, executing data processing agreements with all data processors.
4. Data Protection Measures: The CPA encourages organizations to implement reasonable security procedures to protect personal data from unauthorized access, disclosure, and use. It requires businesses to conduct data protection assessments when processing personal data for certain purposes, such as targeted advertising or sale of data.
5. Transparency and Consent: Transparency is a key principle of the CPA. Businesses must provide clear and easily accessible privacy notices that inform individuals about the categories of personal data collected, the purposes of processing, and the rights available to consumers. This includes clear and conspicuous disclosures if any personal data is to be sold or processed for targeting advertising and how consumers can opt out of these activities. Additionally, the CPA mandates that organizations obtain explicit and informed consent for processing sensitive personal data. This includes personal data regarding children under the age of thirteen, data that reveals race, ethnicity, religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, citizenship of an individual, and biometric data that can identify a person. The CPA establishes five elements that are necessary to establish this consent:
   1. Obtained through the consumer’s clear affirmative action;
   2. Be freely given by consumer;
   3. Be specific;
   4. Be informed; and
   5. Reflect consumer’s unambiguous agreement.
6. Enforcement and Penalties: The Colorado Privacy Act empowers the Colorado Attorney General’s Office to enforce the law and investigate potential violations. In case of non-compliance, businesses may face penalties up to $20,000 per violation, with a maximum of $500,000 for any related series of violations. Business in violation of the CPA may only be sued directly by the Attorney General’s office; the CPA does not provide an avenue for consumers to privately bring suit under the act.

Implications and Compliance Challenges

The CPA presents several implications for businesses operating in Colorado. Organizations will need to assess their data handling practices, update privacy policies, implement data protection measures, and establish procedures to respond to consumer requests. Compliance with the CPA may require significant investments in technology, personnel, and legal resources, especially for organizations with complex data processing operations.

Compliance with the CPA can be challenging due to its broad scope and the need for collaboration between various departments within an organization. Businesses should proactively review their data practices, conduct privacy impact assessments, and ensure that proper consent mechanisms and data protection measures are in place.

In furtherance of these compliance and enforcement efforts, Colorado Attorney General Phil Weiser announced the beginning of enforcement practices on July 12, 2023. His office began sending out letters to Colorado businesses informing and educating them on the new law and the businesses new legal obligations. The letters note key provisions of the CPA and provide resources and suggestions of how best to comply with the act. Examples of these letters can be found here. The CPA also requires that the Attorney General’s office send a letter notifying a business of a violation and giving it 60 days to fix the issue if its determined that the violation can be remedied. This cure period will stay in effect until January 1, 2025, providing leeway to businesses revising and upgrading their data practices in this initial transitional period.

Compared to California’s Data Privacy Law

The Colorado Privacy Act represents a significant step towards protecting consumer privacy in the state of Colorado. By providing individuals with rights and establishing obligations for businesses, the CPA aims to foster a culture of responsible data handling and protections on par with the California Privacy Rights Act (“CPRA”). When compared to existing privacy laws, the CPA is most similar in scope to the CPRA which added further consumer protections to California’s previous data privacy law when it went into effect in January of 2023. Both the CPA and CPRA grant very similar consumer rights; however, the CPA is sometimes interpreted as granting more rights with its inclusion of opt-out rights related to targeted advertising and profiling based on consumer data. There is also a large gap in how the laws determine which businesses need to comply with said laws that may cause confusion when a business is putting together or expanding its consumer data privacy practices.

Now that the CPA has come into effect as of July 2023, business must ensure they educate themselves and prepare to comply with the act. This will require understanding the unique qualities and difference of the relevant data laws in the United States. The CPA for instance, does not require a revenue threshold like the CPRA. A revenue threshold in this context is a factor to determine whether a business must comply with the relevant data privacy law. In California, the CPRA requires that a business either has a gross revenue of at least 25 million dollars or derives 50% of its annual income from selling consumer data as its revenue threshold. The CPA does not have such a requirement, which expands the number of businesses that may need to comply with it. However, it also incorporates a larger consumer threshold that counts the number of consumers whose data a Controller or Processor, as defined by the CPA, controls or processes. This consumer threshold is double that of the CPRA, making a potentially much larger pool of companies that must comply with the CPA compared to the CPRA.

Another major difference of the CPA compared to the CPRA is the geographic targeting it employs when determining the number of consumers whose data is controlled or processed by a company. Unlike the CPRA, which includes consumers around the world with data affected by company, the CPA only counts consumers and revenues located or generated within the state of Colorado, which limits which companies must comply with the CPA.

Another limiting factor of these data laws is the avenues for bringing legal action against businesses that fail to comply with them. The CPA does not allow consumers to take private action against businesses; only the Attorney General’s office or a district Attorney may bring enforcement actions. California extends limited rights to consumers to sue companies when a consumer’s data is subject to theft or disclosure due to the failures directly attributable to the company’s action. Coloradans negatively impacted by a business’s data practices can only alert the Attorney General and hope that the Attorney General’s office files a notice of violation against the noncompliant business. The CPA also includes a cure period of 60 days for the business to come into compliance or face a fine of up to $20,000 per violation with a cap of $500,000 for multiple violations. That cure period will no longer be in effect as of January 1, 2025. By that time, businesses will have had six months to adjust their data practices accordingly.

Compliance with the CPA will require organizations to adapt their data management practices, prioritize transparency, and invest in robust data protection measures. As the implementation of the CPA progresses, it will be important for businesses to stay informed and ensure their operations align with the evolving landscape of consumer privacy across the country.