Colorado: The Third State With a Comprehensive Consumer Privacy Law

Colorado: The Third State With a Comprehensive Consumer Privacy Law

Earlier this month, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA), making Colorado the third state (joining California and Virginia) with a comprehensive consumer privacy law. The law gives consumers the rights to:

  • The Right to Opt-Out.  Like Californians and Virginians, Coloradans have the right to demand that their personal data not be sold.
  • The Right to Access.  Like Californians and Virginians, Coloradans have the right to access their data.
  • The Right to Correction.  Like Californians and Virginians, Coloradans have the right to correct inaccuracies in their data.
  • The Right to Data Portability.  Like Californians and Virginians, Coloradans have the right to obtain a copy of personal data in a portable format.
  • The Right to Delete.  Like Californians and Virginians, Coloradans have the right to demand that their data be deleted.

The Colorado consumer cannot be charged for his/her first request in a year but can be charged for any additional requests within that same year.

The covered businesses must respond to consumer requests within 45 days, which the business can extend for another 45 days after it informs the consumer of the reason for the delay. Similar to the Virginia law, the CPA requires the business to provide the consumer with an appeals process if it does not respond to the request.

It also requires businesses covered by the law to secure the personal data they hold and to explain in clear understandable terms how that personal data is used. It increases accountability and compliance by necessitating assessments of the collection and use of personal data.  

Who Does the Law Apply to?

The law covers companies that do business in Colorado or target Colorado residents AND either: 1) control or process the personal data of at least 100,000 Colorado residents a year, or 2) receive revenue or discounts from selling personal data in addition to processing or controlling the personal data of at least 25,000 Colorado residents. There is no monetary threshold to qualify as a covered business as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

That said, the CPA exempts certain entities as well as certain types of data. For example, air carriers are not covered by the law nor are personal data collected for particular purposes such as the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act. The CPA contains several health care exemptions but stops short of fully exempting health care entities as does the Virginia Consumer Data Protection Act (VCDPA). The law does not apply to employment records. Notably, unlike the California and Virginia laws, the CPA does not exempt nonprofits.

Similar to the laws of California and Virginia, the CPA defines “consumer” as a Colorado resident. It excludes “an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”

Significant Highlights of the Colorado Law

Definition of Sale

The CPA limits the definition of sale to third parties. Sale is defined as “the exchange of personal data for monetary or other valuable consideration by a controller [covered business] to a third party.” Similar to the Virginia law, the CPA requires an exchange of money or something else of value.

The definition also contains exceptions, including the following: it is not considered a sale under the law if “a consumer directs the controller to disclose or intentionally discloses [their personal data] by using the controller to interact with a third party.” The CPRA also contains this sale exemption. It is also not a sale if the consumer makes their personal data available to the general public “via a channel of mass media.”

Right to Opt Out

The CPA allows the consumer to opt out from: 1) targeted advertising; 2) the sale of their personal data; and 3) consumer profiling for the purpose of making legal or significant decisions affecting the consumer.

The latter is defined as “a decision that results in the provision or denial of financial or lending services, housing, insurance, educational enrollment or opportunities, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” While the Virginia law contains these same three categories, the Colorado law has a different effect given its narrower definition of sale.

Controller and Processor Duties

The CPA makes a distinction between “controller” and “processor.” A controller is defined as a business that “determines the purpose and means of processing personal data” while a processor is a business that processes the personal data for the controller.  

The law requires specific duties of the controller, including the duty to be transparent which means that it must explain its privacy policies and the process by which consumers can exercise their rights. Controllers are also required: to be specific in their purpose for collecting personal data, to limit their data collection practices to that which is reasonably necessary for their purpose, to avoid any secondary use, and to avoid unlawful discrimination against consumers who exercise their rights.

The controller must also receive consent from the consumer regarding “sensitive data” which is distinguished from “personal data.” Personal data is “information that is linked or reasonably linkable to an identified or identifiable individual” and excludes data that has been de-identified or is available to the general public. Sensitive data is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.”

Similar to the European Union’s General Data Protection Regulation (GDPR), the controllers must execute “data protection assessments” in cases where processing may result in a higher risk of harm to the consumer. These circumstances include selling personal data, processing sensitive data, and processing for the purposes of targeted advertising and consumer profiling. The controller must evaluate the benefits as weighed against the risk to the consumer and this evaluation must be handed over to the Attorney General upon request. Unlike the GDPR, this CPA does not specify how often this assessment must be conducted.

Under the CPA, the processors must help the controllers comply with the law and in this vein, are required to give them the right: to audit, to delete, and to object to subprocessors.

Enforcement

Similar to Virginia’s law, the CPA does not grant individual consumers a private right of action. Instead, the Colorado Attorney General and the state district attorneys will enforce the law. Initially, the violating business will have 60 days to cure after the Attorney General or the state district attorneys alert it of a violation. However, this provision only lasts until January 1, 2025.

Covered businesses will have two years to make the changes required under the law since the significant provisions will not be effective until July 1, 2023.  As of July 1, 2024, companies that sell personal data or process data for targeted advertising must allow consumers to opt out via a “user-selected universal opt-out mechanism.” The attorney general’s office can put forth the technical specifications of such a mechanism beforehand.

Finally, violations of the CPA are considered deceptive trade practices and as such are governed by the Colorado Consumer Protection Act which provides a the civil penalty of $20,000 for each violation with a maximum limit of $500,000 for a related series of violations.

Conclusion

The passage of the CPA on the heels of the passage of the Virginia Consumer Data Protection Act represents significant progress in the fight for data rights in the U.S.

With the enactment of each new privacy law, businesses are increasingly put on notice to stop exploiting consumers’ personal information.

Stay in the loop and Join DDP to keep up with all the important developments related to your online privacy!