The Colorado Privacy Act, New Data Privacy Requirements
The Colorado Privacy Act is a newly passed comprehensive data privacy law geared towards protecting the privacy and personal information of Colorado residents when using the internet. The act both identifies and imposes a variety of obligations on “controllers” and “processors” of personal information that is collected online from Colorado consumers. Under the Act, a controller is defined as a person that “determines the purposes for and means of processing personal data”. Alternatively, a “processor” is defined as a person who processes the personal data of consumers on behalf of the controller. The requirements and obligations of controllers under the Act are as follows:
- Provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that outlines the specific categories of personal data that are to be collected or processed by the controller or processor, the specific purposes for this processing, how consumers can exercise their rights underneath the Colorado Privacy Act, any categories of personal data that is shared with third parties, and the specific categories of third parties with whom this data is shared.
- Disclose in a conspicuous manner any sale of a consumer’s personal data, and outline the way in which consumers can opt-out of the sale and processing of their personal data.
- Limit the collection of a consumer’s personal data to what is “reasonably necessary” in relation to the specified task for which the data is processed.
- Take reasonable steps and measures to secure the personal data of consumers that are compatible with the scope, nature, and volume of said data.
- Obtain the consent of consumers before processing their personal information by a clear and affirmative act signifying that consent is given freely, specific, informed, and unambiguous. Moreover, the act also states that consent cannot be obtained through broad means, general terms, or dark patterns aimed at adversely influencing the decisions of consumers.
Who is protected under the Colorado Privacy Act?
The Colorado Privacy Act protects Colorado residents and grants them certain rights in relation to the protection of their personal information and data. More specifically, the CPA affords Colorado consumers the following rights:
- The right to submit authenticated data requests to controllers.
- The right to opt-out of the processing of personal data for the purposes of targeted advertising.
- The right to confirm if a controller is processing their personal data, as well as the right to access said data.
- The right to correct inaccuracies in a consumer’s personal data.
- The right to delete personal data in relation to a consumer.
- The right to obtain a copy of their personal data in a portable manner, if technically feasible.
Much like the California Privacy Act and the Virginia Privacy Law, the CPA requires data controllers to respond to the authenticated requests of consumers within 45 days. What’s more, the CPA also requires controllers to establish a process by which consumers can appeal the denial of their authentication request.
Who does the Colorado Privacy Act Apply to?
The Colorado Privacy Act applies to all Colorado residents, defined as consumers under the CPA, and imposes data protection requirements on businesses who meet one of the following thresholds:
- Conducts business within the state of Colorado.
- Produces or delivers commercial products or services that are intentionally targeted to residents of the state of Colorado.
- Controls or processes the data of at least 100,000 Colorado residents.
- Controls of processes the personal data of at least 25,000.
How do businesses comply with the Colorado Privacy Act?
Much like the recently passed Virginia and California data privacy laws, the CPA permits businesses and companies to develop their own general uniform approach concerning data privacy compliance obligations. Despite this, the CPA suggests the following framework for assessing such compliance obligations and requirements under the act:
- Confirm that your business is subject to the CPA- Business entities must determine whether they meet the jurisdictional threshold of the CPA, which does not include a minimum revenue threshold.
- Determine whether your business functions based on the sale or purchase of personal information- Businesses and companies will need to establish whether and to what extent their disclosures of personal information to third parties fall in line with the CPA’s definition of the sale of data, including disclosure for “valuable consideration”. Under the CPA, disclosures to processors or affiliates for the purposes of providing a product or service requested by a consumer are not considered sales.
- Revise privacy policies- Businesses should revise privacy policies to reflect current data processing, communicate the new rights that are available to Colorado consumers, and identify the mechanisms that will allow consumers to take advantage of these rights.
- Implement reasonable security measures- Assess cybersecurity practices, policies, and controls to ensure that they are consistent with industry-wide standards.
- Conduct data protection assessments- Businesses need to conduct data protection assessments in relation to how the business uses, processes, and sells personal data. What’s more, they should also consider the risk involved in such processing.
- Enable consumer opt-out sale of personal information when applicable- Prior to July 1st, 2024, when the CPA officially comes into effect, businesses should begin implementing the use of a “user-selected universal opt-out mechanism” in accordance with the technical requirements that are to be established by the Colorado State Attorney General.
- Implement a consent mechanism for collecting sensitive information- Businesses who collect personal data from consumers are obliged to obtain “affirmative, informed, and clear consent” before collecting said data. The CPA specifies that consent does not include accepting a business’s general terms of use or service, use of dark patterns, or the hovering over, muting, pausing, or closing of content. Businesses should develop opt-in mechanisms in line with these constraints.
- Facilitate receipt and response to consumer requests- Businesses should develop mechanisms for accepting, verifying, tracking, and honoring a consumer’s request to exercise their access, correction, and deletion rights under the CPA.
- Implement a training program- Businesses must ensure that employees who are responsible for handling customer requests and inquiries both understand and are trained to handle such requests in a timely manner and consistent manner than maintains compliance with the CPA.
What are the fines and penalties for non-compliance under the CPA?
The CPA will be enforced by both the Colorado Attorneys General and state district attorneys. Any violation of the CPA constitutes a deceptive trade practice under the Colorado Consumer Protection Act. Violations of the CPA and in turn CCPA are punishable by fines of up to $2000 for each violation, with a maximum penalty of $500,000 for related violations. Under the CPA, Colorado consumers have no private right of action, and the Colorado Attorney General is authorized to “adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation” of the CPA.
The goal of the CPA is to provide Colorado consumers and residents with a further level of protection when sharing their personal information on the internet. As online activity is at an all-time high due to the expansion of internet service in the last 25 years, such pieces of legislation are very much needed. In keeping with legislation passed by both Virginia and California, Colorado is the most recent state to pass a comprehensive data protection law. While there are only a handful of states who have passed such legislation as of this writing, more states are sure to look into passing their own forms of online data privacy laws in the near future.