On July 8, 2021, the Colorado Privacy Act (CPA) was signed into law with an effective date of July 1, 2023. Colorado became the third US state, after California and Virginia, to enact a comprehensive privacy law. The objective and basic consumer rights provisions within CPA are not very different from these state privacy laws. However, unlike the California Consumer Privacy Act (CCPA), CPA has adopted the controller-processor approach of the General Data Protection Regulation (GDPR). Earlier this year, Virginia, with its Virginia Consumer Data Protection Act (VCDPA), adopted a very similar approach. Similar to GDPR, the controller is the one who determines the purpose and means of processing, while the processor is the one who processes the personal data on behalf of the controller. The CPA expects the controller to perform a data protection assessment where processing presents “a heightened risk of harm” to the consumer.
The CPA applies to the controller who does business in Colorado or who “deliver[s] commercial products or services targeted toward the resident of the state.” Unlike CCPA, the CPA does not have a revenue threshold. The law is applicable only when the “controller processes the personal data of 100,000 consumers or more during a calendar year” and/or “derives revenue or receives discount on the price of goods or services from the sale of personal data and controls or processes the personal data of [25,000] consumer[s] or more.” Additionally, the law is applicable only in an individual or household context; commercial or employment context is not included in the scope of the law.
Similar to CCPA and VCDPA, the CPA provides certain rights to the consumer as outlined below:
Right to Opt Out: Consumer has the right to opt out of the sale of personal information. Additionally, the consumer has the right to opt out where personal data is used for profiling and targeted advertising. While the right to opt out is very similar to other state privacy laws, the CPA provides a universal opt-out option for the consumer. However, regardless of the universal opt-out option, a consumer can still provide an informed consent for the sale or targeted advertising as “consent takes precedence over any choice reflected through universal opt-out.”
Right of Access:Consumer has the right to confirm “whether a controller is processing personal data concerning the consumer” and the consumer can request access to the data.
Right of Correction: Consumer has the right to request correction of the inaccuracies in the personal data.
Right of Deletion: Consumer has the right to request deletion of personal data.
Right to Data Portability: Consumer has the right to request access to personal data in a portable format that will allow the consumer to transfer data to another entity.
Similar to CCPA, the CPA does not expect a consumer to create a new account with the controller to exercise his/her rights. The law expects the controller to authenticate the identity of the consumer while responding to the consumer requests. The controller needs to fulfill the consumer request free of charge within 45 days, with an option to extend it for another 45 days, “depending on the complexity and number of the requests.” However, for any subsequent consumer request within a 12-month period, the controller may charge a fee. In situations where a controller may deny a consumer request, the CPA provides the consumers the right to appeal.
Controller and Processor Responsibilities
Similar to GDPR, the CPA requires the controllers and the processors to follow certain requirements as outlined below:
Duty of Transparency: Similar to CCPA, GDPR and VCDPA, the CPA mandates the controller to “provide [the] consumer with [a] reasonably accessible, clear and meaningful privacy notice.”
Duty of Purpose Specifications: The controller needs to specify the purpose of collection and processing of personal data.
Duty of Data Minimization: The controller needs to limit data collection based on the specified need.
Duty to Avoid Secondary Use: The law prohibits the controller from using the data outside the purpose specified during collection.
Duty of Care: The controller needs to implement appropriate controls to safeguard data during processing and storage.
Duty to Avoid Unlawful Discrimination: The law prohibits the controller from making unlawful discrimination against consumers.
Duty Regarding Sensitive Data:1 The law prohibits the controller from processing sensitive data of consumers without appropriate consent. The law also prohibits controllers from processing children’s data without valid consent from parents or lawful guardian.2
Unlike CCPA, both the attorney general and district attorneys can enforce the law. Prior to initiating any action against the controller, the enforcement authority will issue a notice of violation and the controller will have 60 days to cure. However, this provision to cure will be repealed after January 1, 2025. The law does not provide explicit guidance about penalties or fees for privacy violation. However, any violation of the act will be considered as a deceptive trade practice.
Even before organizations had the ability to digest and prepare for the VCDPA, organizations have another new state privacy law to incorporate into their operations. With other state laws in the pipeline, organizations should prepare themselves with a comprehensive privacy compliance program. Many may wonder where to start and what is the most efficient approach toward developing this type of robust privacy program. Organizations should start with gaining an understanding of the data that it is collecting, processing, retaining, and sharing with third parties and developing a data inventory to understand the flow of consumer personal information across business units, service providers, and third parties. Organizations will then be able to conduct current state assessments against any new privacy laws to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements.
1 Sensitive data is defined as personal data related to “racial origin, mental health condition, citizenship, sexual orientation, biometric data,” etc. 2 Child is defined as an “individual under 13 years of age.”