Colorado Privacy Act

The Colorado Privacy Act (CPA) is a comprehensive data privacy framework signed into law on July 8, 2021, and set to take effect on July 1, 2023.

The legislation generally aims to protect the privacy of Colorado's residents by imposing certain responsibilities on companies that collect or process their personal data.

Following the recent trend of states passing their own data privacy frameworks, Colorado has now joined California and Virginia, becoming the third state in the U.S. to enact a comprehensive data privacy law.

The law will have a significant impact on consumers and certain businesses in Colorado, which means you need a reliable and proactive compliance strategy to stay ahead of potential liability.

Without further ado, let's see what the CPA entails, including its purpose, who it applies to, what it requires, and how your business can ensure CPA compliance.

What is the Purpose of the Colorado Privacy Act?

The CPA was primarily designed to protect the digital privacy of the residents of Colorado by giving them more control over how their personal data is handled.

To do this, the law requires businesses to be responsible custodians of data and take certain steps to guarantee the protection of consumers' privacy.

The introduction of the CPA is thanks to the ever-increasing awareness for data security and digital privacy as well as the proliferation of privacy regulations like the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Virginia Consumer Data Protection Act (VCDPA).

In fact, the CPA's fundamental framework was designed in a very similar fashion to these laws, more significantly, the CCPA, the CPRA, and the CDPA. The CPA, however, includes a few noteworthy differences in its provisions, but we'll go into that later.

As a company operating in Colorado or targeting its residents, the CPA provides rules about:

• How you can legally collect or process personal data
• How you can help consumers exercise their privacy rights
• The extent to which you must keep personal data secure
• The general requirements for compliance, including data protection assessments, transparency, data minimization, and so on

Now that we know why the CPA was created and what it intends to accomplish, let's briefly examine the rights and liberties granted to consumers under the law.

Consumer Privacy Rights Under the Colorado Privacy Act

Like most modern privacy laws, the CPA provides consumers with certain rights regarding the processing of their personal data. Briefly, they are as follows.

Right of Access

Under the CPA, consumers have the right to know if your business collects or processes their personal data. If yes, consumers also have the right to access their data.

Here's an example from Upwork's Privacy Policy:

Right to Opt Out

Consumers have the right to opt out of the processing of their personal data for such purposes as:

• The sale of their personal data
• Targeted advertising, or
• Profiling to help make decisions that produce legal or similarly notable effects concerning a consumer

Although the CPA's right to opt out isn't notably different from other laws, its method for opting out is.

Under the law, businesses are required to implement a "user-selected universal opt-out mechanism" that allows consumers to exercise their opt-out right by clicking a single button.

The universal opt-out mechanism hasn't been specified yet, but the Colorado attorney general is expected to provide the technical standards before July 1, 2024. We'll keep you informed as additional information is available.

Right to Correction

Under the CPA, consumers have the right to correct any inaccurate or outdated details in the data collected about them.

Here's how Etsy presents this right in its Privacy Policy:

Right to Deletion

The CPA gives consumers the right to request that their personal data be deleted from your records.

For example, here's how Gymshark presents this right in its Privacy Notice:

Right to Data Portability

Consumers are also entitled to obtain a copy of their personal data in a portable and readily-usable format for transfer to a third party without hindrance.

Responding to Consumer Requests

Finally, you must develop mechanisms to promptly respond to consumers' requests regarding their personal data. According to the CPA, your response time shouldn't exceed 45 days after receiving the request.

However, you may extend that deadline by an additional 45 days in certain cases (e.g., when consumers' requests are complex or high in volume), but make sure to let consumers know the reason for the extension.

The Colorado Privacy Act's Definitions

Before looking at the scope and requirements of the CPA, you need to understand how certain terms are defined under the law.

Consumer

A consumer (for purposes of the CPA) refers to "a resident of Colorado acting only in an individual or household context."

A person operating in a commercial or employment capacity (e.g., a job candidate) is not considered a consumer under the CPA.

Personal Data

The CPA defines personal data as:

"Information that is linked or reasonably linkable to an identified or identifiable individual"

From this definition, personal data may include but isn't restricted to the following:

• Names
• Email/physical addresses
• IP addresses
• Social security numbers
• Identification numbers
• Credit card information
• Phone numbers

However, personal data does not include:

• De-identified data (i.e., any data from which all personally identifiable information has been removed), or
• Publicly available information

Sensitive Data

Under the CPA, sensitive data refers to a type of personal data that requires explicit consent and handling. It includes personal data that could reveal the following:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Physical or mental health condition
• Citizenship status
• A known child
• Genetic or biometric information

Processing

The CPA defines processing as:

"The collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data"

Practically speaking, any action carried out on personal data can be labeled as processing.

Controller

Similar to the GDPR's definition, the CPA defines a controller as an individual or entity that "determines the purposes for and means of processing personal data."

Controllers are generally held more accountable for compliance under the CPA than processors.

Processor

A processor, on the other hand, refers to an individual or entity that "processes personal data on behalf of a controller."

Processors typically operate under the direction and supervision of controllers.

Who Does the Colorado Privacy Act Apply to?

The CPA applies to controllers operating within the borders of Colorado or selling commercial products or services to its residents and meets any of the following thresholds:

• Controls or processes the personal data of more than 100,000 consumers yearly
• Derives revenue or obtains discounts from the sale of personal data and control or process the personal data of more than 25,000 consumers

Compliance may be easier on smaller businesses as these stipulations are almost identical to those in the CCPA and Virginia's CDPA.

In sum, even if your company is located in Utah, as long as you offer products or services to Colorado residents and meet either threshold specified above, the CPA will apply.

Who the Colorado Privacy Act Doesn't Apply to

Compliance with the CPA is not required for all businesses. For example, businesses that don't reach the number of residents whose data is processed yearly are exempt from the CPA's scope.

The following organizations are also exempt from having to comply with the CPA:

• Airlines
• Public utilities
• Organizations subject to the Health Insurance Portability and Accountability Act (HIPAA)
• Organizations subject to the Children's Online Privacy Protection Act (COPPA)
• Financial institutions subject to the Gramm-Leach-Bliley Act (GBLA)
• Organizations subject to the Family Educational Rights and Privacy Act (FERPA)
• Organizations subject to the Fair Credit Reporting Act (FCRA)
• Governmental organizations in Colorado
• Organizations processing de-identified personal data
• Organizations that process data for employment records purposes
• Organizations that process data for Colorado health insurance law
• Higher education institutions
• Consumer reporting agencies

It is worth noting that, unlike other U.S. privacy laws, the CPA doesn't exempt nonprofit organizations.

Requirements of the Colorado Privacy Act

Reminiscent of the GDPR's data processing principles, the CPA provides a set of obligations that must be observed by organizations under its scope. Briefly, they are as follows.

Duty of Transparency

The CPA requires you to provide consumers with a "reasonably accessible, clear, and meaningful" Privacy Notice (aka a Privacy Policy).

Additionally, your Privacy Policy must be conspicuously displayed on your company's website and contain the following information:

• The categories of personal data you collect or process
• Your reasons for processing personal data
• How consumers can exercise their privacy rights and appeal decisions about their requests
• The categories of data you share
• The third parties (if any) with whom you share data
• Clear and prominent disclosure of the sale or processing of personal data, as well as how consumers can opt out of the sale or processing

Duty of Purpose Specification

Under the CPA, you are required to explicitly inform consumers about what type of personal data you collect from them and the reasons for such.

Duty of Data Minimization

The CPA mandates businesses to limit the amount of data obtained from consumers and to collect only "adequate, relevant, and reasonably necessary information" which must be used only for the pre-established purpose.

Duty to Avoid Secondary Use

Expanding on the duty of data minimization, the CPA allows you to process a consumer's data for purposes that are not reasonably necessary or compatible with pre-established purposes only after obtaining the consumer's explicit consent or approval.

Duty of Care

Another important requirement under the CPA is to take reasonable measures to protect personal data from unauthorized access during its use or storage.

Furthermore, the measures taken must be appropriate to the volume, scope, and nature of the data being processed as well as the type of business.

Duty to Avoid Unlawful Discrimination

The CPA prohibits you from processing personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers.

Duty Regarding Sensitive Data

Lastly, the CPA requires you to obtain informed and explicit consent before processing a consumer's sensitive data.

If the consumer is a known child, you must obtain explicit and informed consent from the child's parent or guardian.

Best Practices to Ensure Compliance with the Colorado Privacy Act

To stay compliant with the Colorado Privacy Act, make sure you observe the following.

Evaluate and Update Your Privacy Policy

If your business falls under the CPA's scope, you need to revise your current data practices and update your Privacy Policy to ensure full compliance with the law.

As noted earlier, your Privacy Policy should cover (in detail) your data processing activities, the privacy rights of consumers, and the process by which consumers can exercise these rights.

Conduct Data Protection Assessments

Data protection assessments help organizations evaluate how they use, sell, and process personal data, as well as the risks involved in the processing.

As a business owner, the CPA requires you to regularly conduct data protection assessments before implementing processing activities that may present a heightened risk of harm to consumers.

Additionally, it's recommended that you document these assessments whenever they are conducted.

Implement a Universal Opt-Out Mechanism

The CPA requires you to implement a user-selected universal opt-out mechanism to allow consumers to opt out of the sale of their personal data, targeted advertising, and profiling.

The opt-out mechanism must be implemented before July 1, 2024, and satisfy the technical requirements set forth by Colorado's attorney general.

Develop a Consent Mechanism to Collect Sensitive Data

Like other U.S. privacy laws, the CPA is more protective of sensitive data and, as such, requires you to obtain explicit consent from consumers before attempting to process their sensitive data.

According to the CPA, consent must be freely given, specific, informed, unambiguous, and characterized by a clear, affirmative action.

The best way to do this is to use a clickwrap method to ensure that consumers have reviewed and consented to your data policies and practices.

For example, here's how PayPal obtains explicit consent from its users before they sign up:

Implement Appropriate Security Measures

Under the CPA, you must implement reasonable security measures to keep personal data from falling into the wrong hands.

To stay compliant, you need to implement and constantly revise your cybersecurity safeguards to ensure that they're up to industry-recognized standards.

Here's how Reddit presents this clause in its Privacy Policy:

Conduct Training Programs

Finally, it's highly recommended that you conduct frequent training programs to ensure that your employees can handle consumer requests promptly and consistently.

Colorado Privacy Act Enforcement and Penalties

The CPA does not provide for a private right of action. Unlike other state laws, the CPA is enforceable by the Colorado attorney general and district attorneys.

Before any enforcement action, the attorney general or district attorney must issue a notice of violation to the controller, who then has 60 days to correct or "cure" the violation.

However, the 60-day cure period will only be effective for the first 18 months and will no longer exist after January 1, 2025.

A violation of the CPA is considered a deceptive trade practice, but there is no specific fine or penalty in the CPA's provisions.

For the time being, CPA penalties fall under the scope of the Colorado Consumer Protection Act and range from $2,000 to $20,000 per violation.

It is also worth noting that violations under the CPA can lead to criminal charges, thanks to the Consumer Protection Act oversight.

Colorado Privacy Act vs the California Consumer Privacy Act (CCPA)

In many ways, the CPA is similar to the CCPA, but there are differences in its provisions that you should be aware of.

Let's briefly look at some of their key similarities and differences.

Similarities

• Both laws apply to businesses targeting their residents and processing the personal data of more than 100,000 consumers annually.
• Both laws give consumers certain privacy rights.
• Both laws aim to protect personal data and make additional provisions for sensitive data.
• Both laws give businesses 45 days to respond to consumers' requests.
• Both laws require the state to issue notices of violations to cure any alleged violations before taking enforcement action.
• Both laws exempt certain organizations already regulated under other federal laws.

Differences

• Unlike the CCPA, the CPA does not provide for a private right of action and is only enforceable by the Colorado attorney general and district attorneys.
• The CPA's cure period for alleged violations is 60 days, which is double California's law.
• The CPA does not include a revenue threshold, in contrast with the CCPA's $25 million revenue threshold.
• Unlike California's law, the CPA does not explicitly specify penalties for violating its provisions.
• The CPA's mandatory "user-selected universal opt-out mechanism" is not required under the CCPA.

Summary

The CPA is acknowledged to be a work in progress and will likely release additional guidance on its practical implementation over time.

Although the law does not take effect until July 1, 2023, now is a good time to start assessing your company's compliance obligations.

If your business already complies with California or Virginia privacy laws, you may not need to do much to be considered compliant under the CPA.

Key takeaways from this article that can help your business comply with the CPA include:

• Observe consumers' privacy rights and help users exercise them upon request
• Provide a Privacy Policy as required by the law written in simple, plain language
• Be transparent and explicit when providing information relating to consumers' personal data
• Obtain explicit, affirmative consent before processing consumers' sensitive data
• Implement a universal opt-out mechanism that satisfies the technical requirements of the law when announced by the attorney general
• Provide reasonable security measures to protect personal data from unauthorized access
• Perform regular data protection assessments before processing personal data and document the results
• Implement training programs for employees to ensure prompt and consistent responses regarding consumers' requests
• Stay up-to-date on privacy trends to ensure complete compliance with the CPA

All US Privacy Laws

Want to read more about privacy laws in the USA? Start here: