On July 8, 2021, Colorado became the third state to pass broad consumer privacy legislation. Signed by Governor Jared Polis, the Colorado Privacy Act (CPA) follows the CCPA and VCDPA in terms of consumer rights and business obligations and will go into effect on July 1, 2023.
Under the CPA, there is no global annual revenue threshold or application to only certain company sizes. The CPA applies to companies that either collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive revenue from the sale of data.
The process required to respond to a privacy request, how long the business has to respond, and individual exceptions businesses may use to resist complying with a privacy request differs between Colorado, California, and Virginia. Under the CPA, the timeline is 45 days to respond to a consumer request.
Consumers’ ability to opt out of the “sale” of data is arguably much broader in California. This is because the Colorado law is limited to ‘sales’ in exchange for monetary value only, whereas California does not include that limitation. However, the CPA lets consumers opt out of having their information processed to create consumer profiles, which is not part of the current CCPA.
Consumer Rights and Key Provisions
As with the VCDPA and the CCPA, the CPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike the CCPA, Colorado consumers can only use an authorized agent for sale opt-out requests.
Consumer rights include:
- Opt out of the processing of personal data concerning the consumer
- Authorize another person to opt out of the processing of the consumer’s personal data for purposes of targeted advertising or the sale of the consumer’s personal data
- Confirm whether the controller is processing the consumer’s personal data and, if so, access that data in a portable and readily usable format
- Correct inaccurate personal data collected from the consumer
- Delete personal data concerning the consumer
The CPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out by July 1, 2023, which controllers must honor starting July 1, 2024. Unlike the CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under the CPA.
At a high level, the CPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA.
The CPA applies to “controllers” that conduct business in Colorado or target Colorado residents and
- control or process the personal data of 100,000 or more consumers during a calendar year OR
- derive revenue or receive a discount on the price of goods or services from the “sale” of personal data and process or control the personal data of 25,000 or more consumers
There is no threshold for monetary revenue such as the one in California.
The major obligations required of businesses are:
- Transparency, including an “accessible, clear, and meaningful privacy notice,” which must include:
- Categories of data collected
- Purposes for processing data
- Instructions for consumer right requests
- How personal data and categories are shared
- Specify the purpose for collecting data at the point of collection
- Employ data minimization practices
- Obtain consent before collection of sensitive data
- Uphold data processing contracts between a controller and a processor
In addition, controllers must conduct data protection assessments before processing personal data in a manner that creates a “heightened risk of harm to a consumer.”
There are some nuanced exemptions for businesses whose data is already regulated by federal law, such as health care providers, higher education, and financial institutions. In addition, there are exemptions for B2B businesses from most requirements. This includes any business that has no direct contact with consumers. However, these businesses would still be subject to consumer privacy requests if they have consumer data.
The CPA is the first law that can be enforced by both the district attorney and the attorney general’s office. Violations would be punishable by the civil penalties set forth in C.R.S. 6-1-112. That statute provides for civil penalties of not more than $20,000 for each violation.
In the current rendition of the law, when a district attorney or attorney general begins enforcement, the office will provide a notice to the controller. Within 60 days, the controller must cure the violation or risk a fine following the time period. There is also a two-year sunset clause that will cease on January 1, 2025. After that sunset period, controllers will no longer be able to resolve issues prior to enforcement and will be penalized accordingly.
With state laws passed in California, Virginia, and now Colorado, there is mounting pressure on the federal government and businesses alike regarding privacy. Consumers continue to raise their expectations for privacy rights and controls. Curious how your business can stay ahead of the privacy trend and automate compliance? Check out our latest report licensed by Gartner that covers strategies for identifying risks and automating compliance.