On June 8, 2021, Colorado became the latest state to pass a comprehensive consumer data privacy law (the Colorado Privacy Act, or “CPA”). It is currently waiting for the Governor Jared Polis to sign. Once he does, the law will go into effect on July 1, 2023. This will give covered business two years to make sure they follow all the law’s requirements. This post describes who the law will apply to, what rights and responsibilities those companies have, and how the law will be enforced.
When defining who the Colorado Privacy Act applies to the law first divides up covered businesses as either a Controller or a Processor. These have meanings like other data privacy laws. A Controller is a business that decides the purposes or means of processing personal data, while a Processor is a business that processes personal data on behalf of and at the direction of a Controller. The CPA then says that the law applies to a Controller who:
- conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and
- controls or processes the personal data of one hundred thousand Consumers or more during a calendar year; or
- derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand Consumers or more.
In the CPA “Consumers” mean Colorado residents, similar to other US consumer privacy laws. The fact that this test only applies to Controllers is something that is different from other privacy laws. Most consumer privacy laws simply apply to businesses generally, regardless of whether they are a Controller or Processor. However, this does not mean Processors are exempt from all requirements under the CPA. In particular, the law does require that Processors aid Controllers in following the CPA.
Like all other privacy laws, the new Colorado Privacy Act has made exceptions to the requirements it imposes. A few of the notable ones follow, but organizations should consult a privacy expert to verify if they will qualify for one of the many exceptions. For example, personal data that is regulated by federal laws such as HIPAA, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act (“COPPA”) is not subject to the law, and employment records are also outside the scope of the CPA. The law also has exceptions for a few kinds of organizations, such as state institutions of higher education and financial institutions governed by the Gramm–Leach–Bliley Act. If a Controller believes that an exception applies to them, it bears the burden of demonstrating both why this is so and that it is necessary, reasonable, and proportionate to the specific purpose.
At least one difference from Virginia’s new consumer privacy law, the Consumer Data Protection Act (“CDPA”) in this list of exemptions is around COPPA. The CDPA states that compliance with COPPA meets the requirements of obtaining parent’s consent for the processing of children’s information. The new Colorado Privacy Act, on the other hand, offers a blanket exemption from the law, for all personal data regulated by COPPA.
In addition to the large list of exceptions, the Colorado Privacy Act also gives a list of business practices the law is not intended to restrict. Some are simple and straightforward, like following other state and federal laws. But others could be quite broad, depending on how the state chooses to interpret them. For example, covered businesses still will be able to perform internal operations that are reasonably aligned with the expectations of the Consumer based on the Consumer’s existing relationship with the Controller. It is not yet known where states will draw this line of “reasonable.” Businesses should consult a privacy expert before deciding an exemption applies to them.
The Colorado Privacy Act gives a list of Consumer rights, just like other comprehensive consumer privacy laws. These are the right to opt out of businesses using data for targeted advertising, selling data, or using data for profiling. Of note here is that under the CPA a Consumer does not have to make the request themselves, instead they can authorize another person to act on their behalf to make the request.
In addition to opt-out rights, Consumers have the right to access, correct, delete, or transfer their data. When a Controller receives a request to exercise one of these rights, they must respond in 45 days. However, they may extend this by another 45 days if reasonably necessary. Like the CDPA the CPA does not require the Controller to respond to a request if the Controller cannot authenticate the user. If this happens the Controller may request more information to authenticate the Consumer. An exemption to responding to user rights requests is if a Controller’s data is Pseudonymous or De-Identified and the Controller takes certain other steps outlined in the law.
What Businesses Must Do
The law requires Controllers to provide clear and meaningful communication with Consumers telling them the:
- categories of personal data collected,
- purposes for collecting,
- rights they have and how exercise them, and
- categories of personal data shared and who they share it with.
The statute also goes through a list of specific duties Controllers have:
- Duty of Purpose Specification,
- Duty of Data Minimization,
- Duty to Avoid Secondary Use,
- Duty of Care,
- Duty to Avoid Unlawful Discrimination, and
- Duty Regarding Sensitive Data.
Where the list of requirements for the Controller are relatively specific, the Processors’ responsibilities are vague. The Processor must aid the Controller in meeting the Controller’s requirements under the new law. This means implementing proper security, notifying the Controller of anything pertinent to compliance with the law, and other documentation and audit requirements.
To make it clear how the Controller and Processor divvy up their responsibilities, the CPA requires that the relationship between them be governed by a contract. The contract must include provisions that address the:
- Processor’s processing instructions,
- nature of the processing,
- purpose of the processing,
- type of data being processed,
- duration of processing,
- requirement that the Processor must aid the Controller in following the law,
- deletion of data when processing is complete, and
- need for the Controller to audit the Processor.
Neither party can contract out of any obligations given by the CPA.
High Risk Processing
The CPA finds some processing that is at a higher risk of causing harm to Consumers. Such processes are the selling of any personal data, the processing of personal data, or processing that could cause substantial injury to a Consumer. Because of this higher chance of causing harm, the law requires businesses to perform a Data Protection Assessment to process this kind of data. The Assessment will need to show the benefits to all parties for processing the data and weigh those benefits against the risk to the Consumer, factoring in all relevant safeguards. Businesses must keep this Assessment on hand so that if the Attorney General requests it, it can be turned over at once. This will only apply to data collected after July 1, 2023, and not before.
The new colorado privacy act gives the Colorado Attorney General the exclusive authority to enforce the law—there is no private right of action allowing individuals to sue businesses for violations of the CPA. In addition, the Attorney General must give notice of violation to a business with a sixty-day cure period. Only after that time has elapsed and a company is still not in compliance with the law may the Attorney General take enforcement measures. The Attorney General will prosecute a violation of the statute as a deceptive trade practice. Consequences of deceptive trade practices may include any of the following:
- Court restraining order,
- Court injunction,
- $2,000 per violation, not to exceed $500,000 in total for any related series of violations, and
- $10,00 per violation if the Consumer is 60 years old or older, with no cap.
In addition, the CPA has given the Attorney General rule making authority in two areas. First, for Universal Opt-Out requirements and specifications. Second, an option for companies to use a good faith reliance defense against the requirements of the new law.
SixFifty Can Help
The CPA has many aspects that are similar to other privacy laws so that businesses already in compliance or aware of other laws will be familiar with many of these new requirements. However, there are enough differences, in exemptions and compliance, that consulting a data privacy expert is highly recommended if you conduct any business in Colorado. SixFifty will be releasing a data privacy tool soon to help businesses assess if the law applies to them and if so to what extent. In addition, SixFifty will give companies the tools they need to follow the law, well before the enforcement date of January 1, 2023. Please feel free to reach out to our data privacy experts for any questions you may have.