Colorado is the third US state to pass privacy legislation. While it was certainly influenced by and shares content from California and Virginia’s state laws, the Colorado Privacy Act also shows the rapid evolution of legal thought and consumer rights expectations around privacy.
While a federal US privacy law is still nowhere on the horizon, we’ll outline what businesses operating in Colorado need to know for compliance.
What is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) was signed into law on July 8th, 2021, and will go into effect on July 1st, 2023. It protects the privacy rights of Colorado residents and applies responsibilities to companies doing business in the state.
Among these is mandated adherence to standards for controlling, storing, processing, and maintaining personally identifiable information (PII). (Learn more: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?) In this article, personal information, personal data and PII may be used interchangeably.
The Colorado government acknowledges that there is still room for improvement and will continue to shape the law without restricting innovation. In this, California may continue to be influential, as its California Consumer Privacy Act (CCPA), which only went into effect on January 1st, 2020, is already due to be updated and partially replaced by the California Privacy Rights Act (CPRA) in 2023.
Consumers, controllers and processors under the Colorado Privacy Act
The Colorado Privacy Act is designed to protect the consumer, defined in the Act as: “an individual who is a Colorado resident acting only in an individual or household context; and does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context”.
The Colorado Privacy Act is particularly intended to protect consumers in their online activities. It gives them certain rights over their personal data, including making inquiries or requests to data controllers or data processors about it.
Under the Act a data controller is “a person that, alone or jointly with others, determines the purposes for and means of processing personal data”. So it could be a company, but isn’t explicitly limited to commercial enterprises.
The Act defines a data processor as “a person that processes personal data on behalf of a controller”. Again, likely often a corporate entity, but not always. It can also be a third party that’s not part of the same entity that qualifies as the controller.
“Processing” with regards to data doesn’t explicitly refer to its sale, and the CPA defines that as “collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data”.
Consumer rights under the Colorado Privacy Act
As noted, the Colorado Privacy Act is intended to protect the rights of consumers residing in the states. The specific rights outlined are fairly standard in comparison with the laws in other states.
Consumers have five specific rights under the Colorado Privacy Act:
- The right to opt-out of data processing for targeted advertising, sale or profiling using their personal data
- The right to access any data that a company has collected about them
- The right to have any data corrected that has been collected about them and is incorrect or outdated
- The right to have any data collected about them deleted
- The right to data portability (being able to have your data transferred to another entity)
Consumer requests for personal information
Consumers can submit inquiries and requests in order to:
- Opt out of the processing of their PII for targeted advertising
- Confirm if a controller is processing their PII and gain access to it
- Correct inaccuracies in their PII
- Have their PII deleted
Data controllers must respond to an authenticated consumer request within 45 days of receiving it. Where “reasonably necessary” the controller can request an additional 45 days to complete the request, but must communicate the reason for the delay.
The Colorado Privacy Act also requires data controllers to establish a process for consumers to appeal a denial of their request, and communicate that they can contact the Attorney General if they have concerns about the denial of the request. This is not a part of other states’ privacy laws. Requests can be denied if the person making the request can’t be reasonably authenticated and the person making the request fails to provide adequate additional authentication documentation.
Controllers are exempt from some aspects of requesting consent or responding to consumer requests about PII if the data in question has been de-identified. However, regular and identifiable PII that has been requested must be provided free of charge if the request is reasonable and authenticated.
Unlike the CCPA and some other laws, the CPA does not provide consumers with private right of action, i.e. the ability to sue companies for damages or injury in the event of an alleged violation.
Personally Identifiable Information
Personally identifiable information is among the types of data protected by the Colorado Privacy Act. The term refers to information that is “linked or reasonably linkable to an identified or identifiable individual”. Both physical and digital data and records are protected.
The following types of data are considered PII and are protected:
- Biometric information
- Credit and debit card numbers
- Drivers’ license and license plate numbers
- Email addresses
- Employment information
- Financial data
- Healthcare and insurance information
- Mailing addresses
- Military ID numbers
- Passport ID numbers
- Physical addresses
- Social Security Numbers
- Student ID numbers
- Telephone numbers
The definition of personal information excludes data that has been de-identified or that is publicly available. (Learn more: Data Anonymization: The What, Why, and How of Data Anonymization). Public availability would include records from any level of government or information that the consumer has themself has made public. (So keep an eye on those social media privacy settings.)
Sensitive personal information
As is common to other privacy laws, the Colorado Privacy Act also specifies “sensitive data” that requires specific consent and handling. It includes data that could reveal:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- A known child
The Colorado Privacy Act, like the other state-level laws adopted in the US to date, uses an opt-out model, which means that in most cases data controllers do not need to get consumers’ consent before collecting their personal information. The exception to this is if it’s sensitive personal information that is being collected, if the data is to be processed for purposes other than the ones previously specified (and potentially consented to), aka “secondary use”, or if the data is that of a known child (in which case parental or guardian consent is required).
Other privacy laws, like the European Union’s General Data Protection Regulation (GDPR), use an opt-in model, where consent must be obtained before personal data can be collected at all. In the United States, there are indications that newer privacy legislation is starting to favor a hybrid model that specifies more granularly when and for what consumer consent must be obtained and when/how it can be rescinded.
Who has to comply with the Colorado Privacy Act?
In addition to doing business in Colorado and/or processing the data of Colorado residents, the Colorado Privacy Act applies to businesses that:
- process personal data of 100,000 or more residents annually, or
- process personal data from at least 25,000 residents annually and derive revenue or receive a discount on goods/services as the result of the sale of that data
These stipulations are similar to those in the CCPA and Virginia’s Consumer Data Protection Act (CDPA), which make compliance easier on smaller businesses.
Conducting business in Colorado does not imply that a company has a physical presence or is headquartered in the state. Companies meeting the requirements and doing business via website or app are also required to comply.
Exemptions to Colorado Privacy Act compliance
Not all companies are required to comply with the Colorado Privacy Act. As noted, businesses that don’t meet the number of residents whose data is processed annually, or the revenue threshold, are exempt. Additionally, these types of organizations are also exempt:
- Public utilities
- Entities covered by the Gramm-Leach-Bliley Act (financial institutions)
- Entities covered by the Children’s Online Privacy Protection Act
- Entities covered by the Family Educational Rights and Privacy Act
- Entities that are subject to the Fair Credit Reporting Act
- Governmental entities in Colorado
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Those collecting/processing data for Colorado health insurance law purposes
- Those collecting/processing data for employment records purposes
- Those processing de-identified personal data
- Consumer reporting agencies
- Higher education institutions
There is, unsurprisingly, some consternation among privacy professionals over the extensive number of exemptions, especially among commercial entities. Also, in a departure from other states’ laws, the Colorado Privacy Act will apply to charitable organizations and nonprofits that meet the aforementioned thresholds.
Companies’ obligations under the Colorado Privacy Act
On the other side of the scale from consumers’ rights under the CPA, businesses have responsibilities regarding collecting and use of data.
Organizations’ duties under the Colorado Privacy Act
- Duty of transparency – must provide a “reasonably accessible, clear, and meaningful privacy notice” (more detail below)
- Duty of purpose specification – what data is being collected and for what specific purposes
- Duty of data minimization – adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose
- Duty to avoid secondary use – do not process personal data for purposes that are not reasonable or necessary to the communicated purpose
- Duty of care – reasonable measures to secure data from unauthorized access must be taken for storage and use
- Duty to avoid unlawful discrimination – do not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers
- Duty regarding sensitive data – do not process consumers’ sensitive data without obtaining explicit and informed consent, or, in the case of a known child, without obtaining consent from the parent or guardian
Transparency requirements for privacy notices
Further to the duty of transparency, the privacy notice must include:
- categories of personal data collected or processed by the controller or processor
- purposes for which the categories of data are processed
- the categories of personal data that the controller shares with third parties, if any
- the categories of third parties with which the controller shares personal data, if any
- clear and conspicuous disclosure of the sale or processing of personal data if the controller sells it to third parties or processes it for targeted advertising, as well as how consumers can exercise their right to opt out of sale or processing
- how and where consumers can exercise their rights under the Act, including contact information for the controller and information about appealing a controller’s action with regards to consumer requests (though consumers cannot be required to create a new account to make or appeal the response to a request)
Interestingly, regarding duty of care, the Colorado Privacy Act specifies that organizations’ data security practices “must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business”.
Entities are also required to conduct and document data protection assessments that have a “heightened risk of harm” before engaging in that data processing.
As aforementioned, companies do have to respond to consumer requests within 45 days, with some exceptions and with the possibility of extending that in some cases. They must also explain the reason for the need for an extension, or the reason for denial of fulfilling a request. Common reasons that a company might deny a request would be if the consumer is mistaken and the company does not have any data about them, or if the consumer cannot be reasonably authenticated for security before revealing the personal information. It is also generally considered reasonable to deny an excessive number of requests that are received in a short period of time, especially if the data is not a type that changes frequently.
Colorado Privacy Act enforcement and penalties
The Colorado Attorney General’s Office will enforce the Colorado Privacy Act. If a CPA violation is alleged and appears reasonable or provable, the Attorney General’s office will send a notice to the organization in question with an option to correct the problem. The entity has 60 days from the date of receipt to correct the violation (known as a “cure” period). This is double the cure period allowed in the CCPA and CDPA.
Interestingly, the CPA does not specify fines for violations. A Colorado Privacy Act violation is considered to be a deceptive trade practice. Penalties for that are governed by the Colorado Consumer Protection Act (confusingly, also CCPA), and can be from US$2,000 to US$20,000 per violation, or between US$10,000 to US$50,000 per violation against an elderly person. That Act also used to have a cap for damages of US$500,000 for a series of violations, but that was removed in 2019.
As a result of Consumer Protection Act oversight, Colorado Privacy Act violations can also lead to criminal charges. Criminal penalties are not common in privacy law internationally, but are not unheard of. Violations of South Africa’s Protection of Personal Information Act (POPIA) can result in prison sentences of up to 10 years in some instances.
What does the Colorado Privacy Act mean for companies’ web presence?
The deadline for organizations that must comply with the CPA is July 1st, 2023, so they have some time yet. Entities already compliant with the CCPA and/or CDPA, or even the GDPR, will not have a great deal of additional compliance work to do.
That said, regular data audits, risk assessments and reviews of privacy policies and operations are highly recommended, as is consulting with qualified legal counsel, and appointing a data protection officer, where possible.
Companies also need to ensure that it is reasonably easy for consumers to contact them, and to be able to respond to and comply with consumer requests in a timely manner. Such requests could be resource-intensive and time-consuming to smaller organizations, especially if not automated, and if the companies’ data is stored in multiple locations.
Companies engaging in digital marketing, ecommerce and other online activities should look into a consent management platform for their web and app properties to ensure they are collecting consumers’ consents where required, as well as storing them securely (and in case of an audit or allegation of privacy violation).
The CPA vs. the CCPA and CDPA
As noted, Colorado is the third state to pass its own privacy law, after Florida’s near miss passing theirs in April 2021. California was first one with the CCPA, which came into effect in 2020. Virginia’s law comes into effect in 2023, the same as California’s second privacy law, the CPRA.
All three states’ Acts apply to personally identifiable information, with some special provisions for sensitive information. They do not apply to publicly available or de-identified information. All three Acts use an opt-out model for consumer consent.
The CPA and CDPA include a duty of data minimization, requiring controllers to limit data collection based on reasonableness and relevance. The CCPA does not reference data minimization, however, the upcoming expansion and partial replacement to it, the CPRA, does address this. Under all three laws consumers can opt out of data processing and request for it to be deleted at any time.
All three laws have thresholds for compliance, involving the number of individuals from whom personal data is processed in a given year, or company revenue, or both.
The 45-day response period for consumers’ requests is consistent across the Acts, and consumers must be provided with requested data free of charge. The CPA’s cure period for alleged violations of 60 days is twice as long as in the CCPA and CDPA.
The CPA is the only one of the state-level laws that does not on its own specify fines for violations, as those are considered “deceptive trade practices” covered under the Colorado Consumer Protection Act. As a result, CPA violations can technically result in criminal charges, which is not possible in California or Virginia. Like the CDPA, the CPA does not allow consumers private right of action, unlike the CCPA.
The CPA is acknowledged to be a work in progress, and will likely change and evolve over time. Its contents are not a significant departure from California’s and Virginia’s laws, so prior compliance with other state-level or international privacy law will have done most of the heavy lifting for CPA compliance. As always, we recommend consulting qualified legal counsel for companies specific data privacy compliance needs.
If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.