Privacy Protection Patchwork, Part II: How the Colorado Privacy Act Could Impact Your Business
The number of states enacting comprehensive privacy laws is growing, adding to the existing complex patchwork of privacy, security, and data breach notification laws that keep legal and compliance personnel on their toes. Businesses should start preparing to comply with these laws, many of which become effective in 2023.
This five-part series will highlight key provisions in a few of the new comprehensive privacy laws. Each week we will examine laws in a new state – Virginia, Colorado, Utah, Connecticut, and California – and provide recommendations on what steps businesses should consider taking now to comply. This post explores how the Colorado Privacy Act could impact your business.
Stay tuned every week as we highlight key takeaways from these new laws. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws.
The Colorado Privacy Act
On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, making Colorado the third state (after California and Virginia) to enact a comprehensive privacy law. The CPA will become effective on July 1, 2023.
1. Applicability Threshold
Unlike some state laws that focus on a company’s revenue to determine applicability, the CPA concentrates on the number of consumers whose data are at issue. The CPA applies to companies that conduct business in Colorado, or deliver commercial products or services that intentionally target Colorado residents, when the company processes data of at least 100,000 consumers or derives revenue from the sale of personal data of at least 25,000 consumers each year.
The CPA excludes certain industries and data types from the law, including de-identified data, entities regulated by the Gramm-Leach-Bliley Act, certain data processed by covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA), such as protected health information and data created to demonstrate compliance with HIPAA, and information regulated by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act of 1994, and the Family Educational Rights and Privacy Act of 1974 (FERPA).
2. Summary of Consumer Rights
The CPA grants rights to Colorado residents similar to those granted by the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the European Union’s General Data Protection Regulation (GDPR), including:
- The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling;
- The right to confirm whether a controller is processing personal data and to access the personal data;
- The right to correct inaccuracies in personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data;
- The right to request deletion of personal data; and
- The right to obtain a copy of personal data in a portable, readily usable, and easily transmittable format. This last right can be exercised up to twice a year.
These rights are significant as companies to which the CPA applies will need to have internal policies and procedures in place for receiving and responding to inquiries from consumers associated with these consumer rights. Importantly, the CPA requires that companies provide consumers with a universal opt out mechanism that allows consumers to click one button to exercise all their opt-out rights. We expect the implementing regulations to provide clarity on how companies should execute this universal opt-out mechanism.
3. Data Use and Retention
The CPA imposes new restrictions on companies collecting personal data. The collection of personal data, under the CPA, must be limited to data that are reasonably necessary for the specified purposes for which the data are processed. As such, companies must develop procedures for tracking the purposes for which data are collected and establish data retention policies that limit retention of personal data once processing is complete.
Moreover, businesses must execute agreements with processors that identify the purposes for data processing, the type of personal data to be processed, and the duration of processing. Such agreements should also include restrictions on engaging subcontractors, a duty of data confidentiality for processors, and an obligation to delete or return all personal data to the controller at termination. Businesses should review their contracts to confirm that they meet the CPA’s requirements and update them as necessary to comply.
Businesses acting as controllers under the CPA must also conduct and document data protection assessments of all processing activities involving personal data. Data protection assessments focus on processing that presents a heightened risk of harm to the consumer such as processing for targeted advertising or profiling, the sale of personal data, or processing of sensitive data. Similar to the VCDPA, the CPA highlights that the purpose of data protection assessments is to weigh the potential risks of personal data processing against the direct or indirect benefits of processing to the controller, consumer, and the public. Upon request by the Colorado Attorney General, data controllers must produce their data protection assessments. Businesses should draft procedures that outline when they must conduct a data protection assessment and carefully document the process each time an assessment is performed.
Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. This notice must include a description of the categories of personal data collected and the purposes for which these data are processed, information about the consumer’s rights and choices under the CPA, and the process for withdrawing consent for the processing of personal data. Businesses subject to the CPA should take a close look at their privacy notices and revise as necessary to comply.
5. State Enforcement
The Colorado Attorney General’s Office and Colorado District Attorneys have authority to bring an enforcement action alleging a violation of the CPA following a 60-day cure period, during which time businesses can remediate an alleged violation. This right to cure will sunset on January 1, 2025.
The CPA itself does not include any guidance regarding fines for violations. However, it does state that a violation of the CPA would be considered a deceptive trade practice under the Colorado Consumer Protection Act, which provides that violations are subject to a civil penalty not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations.
Finally, the CPA does not provide for a private right of action.
For more information about the CPA, or for assistance with your privacy compliance program, please contact the authors of this post or reach out to Lewis Brisbois’ Compliance Advisory team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new posts in this series are published. Read our first installment in this series – discussing the VDCPA – here. View all installments in this series here.