On July 7, 2021, Colorado’s Governor, Jared Polis, signed the Colorado Privacy Act (“CPA”) into law. Colorado is the third U.S. state to enact a comprehensive privacy law, following the previous enactment of the California Consumer Privacy Act (“CCPA”) and the Virginia Data Privacy Act (“CDPA”). Though the CPA will not become effective until July 2023, it is critical for businesses to evaluate their current privacy frameworks, and whether they will be sufficient to meet the extended requirements under the CPA.
Who does it apply to?
The CPA will apply to any entity conducting business, producing products, or providing services that intentionally target Colorado residents and that (i) control or process data from at least 100,000 Consumers, or (ii) control or process data from at least 25,000 Consumers and also derive some portion of revenue from the sale of personal data. The CPA defines “Consumer” as a Colorado resident acting in an individual or household context. Unlike the CCPA, there are no revenue thresholds in the CPA. This both expands and narrows the applicability. A company will not automatically become subject to the CPA because of its annual gross revenue, but it will become subject to the law even when it derives less than 50% of its gross annual revenue from selling data (unlike the CCPA).
What rights do consumers have?
Like the CCPA and the CDPA, the CPA left the definition of “personal data” very broad, stating it is information reasonably linkable to an identifiable individual. At this point, how “reasonably linkable” will be defined is unknown. What is clear is that consumers will have five specific rights in relation to their data under the CPA:
- Access – Right to know whether a controller is processing their personal data
- Correction – Right to correct any inaccuracies in their personal data
- Deletion – Right to delete consumer-related information
- Portability – Right to portability of data so it can be transmitted easily and readily
- Opt Out – right to opt out of personal data for the purposes of target advertising, sale of personal data, and profiling in furtherance of decisions with significant effects on the consumer.
Though the opt out requirement is not substantively different from other existing US privacy laws, the requirements for providing consumers the right to opt out is different. Companies must have a clear and conspicuous way for consumers to opt-out of collection. By 2024, the Colorado Attorney General’s office will create and deploy a universal opt-out mechanism to replace the individual format from each company. This makes the CPA the first privacy law to require companies to employ universal opt-out technologies.
Also, of note, the CPA specifically invalidates any consent that was obtained through “dark patterns,” meaning ways designed or manipulated with the effect of subverting or impairing an individual’s autonomy, decision making, or choice.
What obligations do I have?
In addition to preparing for the universal opt-out requirement for all targeted advertising and sale of data, companies must do all of the following:
- Transparency – Give Consumers a privacy notice that is reasonably accessible, clear, and meaningful
- Purpose – Specify the express purposes for which they are collecting and processing personal data
- Minimization – Make sure that the collection of Personal Data is adequate, relevant, and limited to what is reasonably necessary in relation to those specified purposes
- Secondary Use – Refrain from processing personal data for purposes that are not reasonably necessary for the specified purposes without a Consumer’s consent
- Precaution – Take reasonable measures to secure personal data from unauthorized acquisition during storage and use
- Discrimination – Avoid unlawful discrimination
- Sensitive Data – Provide opt-in consent for the processing of “sensitive data,” which is defined as data that reveals information about race, gender, ethnicity, religious beliefs, sexuality, or citizenship, as well as genetic or biometric data
- Assess – Complete a data protection assessment in certain situations, such as processing data for targeted advertising or profiling, selling personal data, or processing sensitive data
- Contract – Contracts must govern relationship between controller and processor of data to establish instructions, requirements, scope, and duration
There is not private right of action under the CPA, only enforcement by an attorney general or district attorney. If needed, an attorney general or district attorney can bring an enforcement action seeking injunctions or a civil penalty. Though the CPA does not provide fine guidance, it would likely be subject to the Colorado Consumer Protection Act, which would allow an entity to be fined up to $20,000 per violation.