Last updated on 12 August 2022 by Stephen Titcombe (Legal writer at TermsFeed)
The Colorado Privacy Act (CPA) is a comprehensive data privacy framework signed into law on July 8, 2021, and set to take effect on July 1, 2023.
The legislation generally aims to protect the privacy of Colorado's residents by imposing certain responsibilities on companies that collect or process their personal data.
Following the recent trend of states passing their own data privacy frameworks, Colorado has now joined California and Virginia, becoming the third state in the U.S. to enact a comprehensive data privacy law.
The law will have a significant impact on consumers and certain businesses in Colorado, which means you need a reliable and proactive compliance strategy to stay ahead of potential liability.
Without further ado, let's see what the CPA entails, including its purpose, who it applies to, what it requires, and how your business can ensure CPA compliance.
The CPA was primarily designed to protect the digital privacy of the residents of Colorado by giving them more control over how their personal data is handled.
To do this, the law requires businesses to be responsible custodians of data and take certain steps to guarantee the protection of consumers' privacy.
The introduction of the CPA is thanks to the ever-increasing awareness for data security and digital privacy as well as the proliferation of privacy regulations like the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Virginia Consumer Data Protection Act (CDPA).
In fact, the CPA's fundamental framework was designed in a very similar fashion to these laws, more significantly, the CCPA, the CPRA, and the CDPA. The CPA, however, includes a few noteworthy differences in its provisions, but we'll go into that later.
As a company operating in Colorado or targeting its residents, the CPA provides rules about:
Now that we know why the CPA was created and what it intends to accomplish, let's briefly examine the rights and liberties granted to consumers under the law.
Like most modern privacy laws, the CPA provides consumers with certain rights regarding the processing of their personal data. Briefly, they are as follows.
Under the CPA, consumers have the right to know if your business collects or processes their personal data. If yes, consumers also have the right to access their data.
Consumers have the right to opt out of the processing of their personal data for such purposes as:
Although the CPA's right to opt out isn't notably different from other laws, its method for opting out is.
Under the law, businesses are required to implement a "user-selected universal opt-out mechanism" that allows consumers to exercise their opt-out right by clicking a single button.
The universal opt-out mechanism hasn't been specified yet, but the Colorado attorney general is expected to provide the technical standards before July 1, 2024. We'll keep you informed as additional information is available.
Under the CPA, consumers have the right to correct any inaccurate or outdated details in the data collected about them.
The CPA gives consumers the right to request that their personal data be deleted from your records.
For example, here's how Gymshark presents this right in its Privacy Notice:
Consumers are also entitled to obtain a copy of their personal data in a portable and readily-usable format for transfer to a third party without hindrance.
Finally, you must develop mechanisms to promptly respond to consumers' requests regarding their personal data. According to the CPA, your response time shouldn't exceed 45 days after receiving the request.
However, you may extend that deadline by an additional 45 days in certain cases (e.g., when consumers' requests are complex or high in volume), but make sure to let consumers know the reason for the extension.
Before looking at the scope and requirements of the CPA, you need to understand how certain terms are defined under the law.
A consumer (for purposes of the CPA) refers to "a resident of Colorado acting only in an individual or household context."
A person operating in a commercial or employment capacity (e.g., a job candidate) is not considered a consumer under the CPA.
The CPA defines personal data as:
"Information that is linked or reasonably linkable to an identified or identifiable individual"
From this definition, personal data may include but isn't restricted to the following:
However, personal data does not include:
Under the CPA, sensitive data refers to a type of personal data that requires explicit consent and handling. It includes personal data that could reveal the following:
The CPA defines processing as:
"The collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data"
Practically speaking, any action carried out on personal data can be labeled as processing.
Similar to the GDPR's definition, the CPA defines a controller as an individual or entity that "determines the purposes for and means of processing personal data."
Controllers are generally held more accountable for compliance under the CPA than processors.
A processor, on the other hand, refers to an individual or entity that "processes personal data on behalf of a controller."
Processors typically operate under the direction and supervision of controllers.
The CPA applies to controllers operating within the borders of Colorado or selling commercial products or services to its residents and meets any of the following thresholds:
Compliance may be easier on smaller businesses as these stipulations are almost identical to those in the CCPA and Virginia's CDPA.
In sum, even if your company is located in Utah, as long as you offer products or services to Colorado residents and meet either threshold specified above, the CPA will apply.
Compliance with the CPA is not required for all businesses. For example, businesses that don't reach the number of residents whose data is processed yearly are exempt from the CPA's scope.
The following organizations are also exempt from having to comply with the CPA:
It is worth noting that, unlike other U.S. privacy laws, the CPA doesn't exempt nonprofit organizations.
Reminiscent of the GDPR's data processing principles, the CPA provides a set of obligations that must be observed by organizations under its scope. Briefly, they are as follows.
Under the CPA, you are required to explicitly inform consumers about what type of personal data you collect from them and the reasons for such.
The CPA mandates businesses to limit the amount of data obtained from consumers and to collect only "adequate, relevant, and reasonably necessary information" which must be used only for the pre-established purpose.
Expanding on the duty of data minimization, the CPA allows you to process a consumer's data for purposes that are not reasonably necessary or compatible with pre-established purposes only after obtaining the consumer's explicit consent or approval.
Another important requirement under the CPA is to take reasonable measures to protect personal data from unauthorized access during its use or storage.
Furthermore, the measures taken must be appropriate to the volume, scope, and nature of the data being processed as well as the type of business.
The CPA prohibits you from processing personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers.
Lastly, the CPA requires you to obtain informed and explicit consent before processing a consumer's sensitive data.
If the consumer is a known child, you must obtain explicit and informed consent from the child's parent or guardian.
To stay compliant with the Colorado Privacy Act, make sure you observe the following.
Data protection assessments help organizations evaluate how they use, sell, and process personal data, as well as the risks involved in the processing.
As a business owner, the CPA requires you to regularly conduct data protection assessments before implementing processing activities that may present a heightened risk of harm to consumers.
Additionally, it's recommended that you document these assessments whenever they are conducted.
The CPA requires you to implement a user-selected universal opt-out mechanism to allow consumers to opt out of the sale of their personal data, targeted advertising, and profiling.
The opt-out mechanism must be implemented before July 1, 2024, and satisfy the technical requirements set forth by Colorado's attorney general.
Like other U.S. privacy laws, the CPA is more protective of sensitive data and, as such, requires you to obtain explicit consent from consumers before attempting to process their sensitive data.
According to the CPA, consent must be freely given, specific, informed, unambiguous, and characterized by a clear, affirmative action.
The best way to do this is to use a clickwrap method to ensure that consumers have reviewed and consented to your data policies and practices.
For example, here's how PayPal obtains explicit consent from its users before they sign up:
Under the CPA, you must implement reasonable security measures to keep personal data from falling into the wrong hands.
To stay compliant, you need to implement and constantly revise your cybersecurity safeguards to ensure that they're up to industry-recognized standards.
Finally, it's highly recommended that you conduct frequent training programs to ensure that your employees can handle consumer requests promptly and consistently.
The CPA does not provide for a private right of action. Unlike other state laws, the CPA is enforceable by the Colorado attorney general and district attorneys.
Before any enforcement action, the attorney general or district attorney must issue a notice of violation to the controller, who then has 60 days to correct or "cure" the violation.
However, the 60-day cure period will only be effective for the first 18 months and will no longer exist after January 1, 2025.
A violation of the CPA is considered a deceptive trade practice, but there is no specific fine or penalty in the CPA's provisions.
For the time being, CPA penalties fall under the scope of the Colorado Consumer Protection Act and range from $2,000 to $20,000 per violation.
It is also worth noting that violations under the CPA can lead to criminal charges, thanks to the Consumer Protection Act oversight.
In many ways, the CPA is similar to the CCPA, but there are differences in its provisions that you should be aware of.
Let's briefly look at some of their key similarities and differences.
The CPA is acknowledged to be a work in progress and will likely release additional guidance on its practical implementation over time.
Although the law does not take effect until July 1, 2023, now is a good time to start assessing your company's compliance obligations.
If your business already complies with California or Virginia privacy laws, you may not need to do much to be considered compliant under the CPA.
Key takeaways from this article that can help your business comply with the CPA include:
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act||Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.|
|HIPAA: Health Insurance Portability and Accountability Act||Federal law that protects the privacy of health information of individuals.|
|California CCPA: California's Consumer Privacy Act||California law that gives consumers many privacy rights while putting transparency obligations on businesses.|
|California CPRA: California's Privacy Rights Act||California law that expands the CCPA and gives consumers additional rights.|
|Virginia CDPA: Virginia's Consumer Data Protection Act||Virginia law that allows users to opt out of the sale of their personal data.|
|Maryland PIPA: Maryland's Personal Information Protection Act||Maryland law that requires businesses to keep personal information private and secured.|
|Utah UCPA: Utah's Consumer Privacy Act||Utah law that provides a range of consumer privacy rights, including the right to data portability.|
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring||Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.|
|Colorado CPA: Colorado's Privacy Act||Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.|
|Florida FPPA: Florida's Privacy Protection Act||Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.|
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
12 August 2022