Dec 7, 2022

Colorado following California and Virginia Privacy Regulations

What is the Colorado Privacy Act (CPA)?

On July 7th of 2021 Colorado passed a comprehensive privacy legislation for the first time in its state’s history. This enactment was the third of its kind in 2021 following California and Virginia. The legislation can be linked through their reminiscence of the California Consumer Privacy Act of 2018 (CCPA). The CPA is set to become effective on July 1st, 2023. 

Who Does it Apply To?

The CPA applies to organizations that conduct business in Colorado by producing or delivering commercial products and/or services that are targeted to residents of Colorado. Additionally, they must meet either of the following conditions for the law to apply to their business: 

  • They control or process the personal data of at least 100,000 consumers or more during a calendar year; or
  • They derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

There is no exemption for non-profits, but there are other instances in which the law provides exemptions. The most notable is that it does not apply to individuals acting in a commercial or an employment context, including job applicants. Additionally, under the CPA, the regulations do not apply to HIPPA-covered entities.

However, businesses that do not meet these thresholds may still be required to follow these requirements. This can occur when processors of personal data are doing so on the behalf of a client that is subject to the CPA and are obligated to comply with this law via contract. 

What are the Consumer Rights?

The CPA creates multiple consumer rights, many of which mirror those created by the California and Virginia privacy laws. 

Consumer Rights Under the CPA:

  • Right to Access: the right to confirm whether a controller is processing personal data concerning the consumer and have access to their personal data.
  • Right to Correction: the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data. 
  • Right to Deletion: the right to delete personal data concerning the consumer.
  • Right to Data Portability: the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
  • Right to Opt-Out: the right to opt-out of the processing of personal data concerning the consumer for purposes of:
    • targeted advertising
    • the sale of personal data, or
    • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

The CPA requires controllers to fulfill consumer requests within 45 days, but if there is a reasonable necessity; a 45-day extension will be granted. Notably, the CPA does not create a right to action for consumers and leaves enforcement of the act in the hands of the Attorney General and District Attorneys. 

What are Key Requirements for the Law?

The CPA creates multiple duties for controllers to provide the consumer. 

Duty of Transparency: a controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: 

  • The categories of personal data collected or processed by the controller or a processor 
  • The purposes of processing the personal data
  • How and where consumers may exercise their rights created under the CPA, and guidance on contacting the relevant parties 
  • If the controller shares personal data with third parties, they must provide which categories of personal data have been shared
  • If the controller shares personal data with third parties, they must provide the categories of third parties that have received the data
    • If a controller sells personal data to third parties, they must clearly and conspicuously disclose the sale or processing as well as the manner in which a consumer may opt-out of the sale.

Duty of Purpose Specification: a controller must specify the purposes for which they are collecting and processing personal data.

Duty of Data Minimization: a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.

Duty to Avoid Secondary Use: a controller should not process data outside the scope of the specified purposes that the consumer agreed to when giving consent to collect and process their personal data.

Duty of Care: a controller must take reasonable steps to secure personal data during all stages of handling. These security measures must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. 

Duty to Avoid Unlawful Discrimination: a controller cannot process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers. 

Duty Regarding Sensitive Data: to process sensitive data the controller must first gain consent. When the sensitive data is obtained from a known child, consent must be obtained from the child’s parent or legal guardian. 

Data Protection Assessments: a controller cannot conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment for each of its processing activities that involve this heightened risk.

Data Processing Contracts: a contract between a processor and controller must be created prior to a processor processing data given by the controller. This contract must outline the processing instructions to which the processor is bound, including the nature of the processing, the type of personal data, and the length of time of they can process the data. 

Penalties for Violations 

Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60-day curing period, but this period will be available only until January 1, 2025.

Key Definitions to Understand the Law

Consent is defined as “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data”.

Consumer means an individual who is a Colorado resident acting only in an individual or household context and does not include an individual acting in a commercial or employment context. Such as a job applicant, or as a beneficiary of someone acting in an employment context. 

Personal Data means information that is linked or reasonably linkable to an identified or identifiable individual. This does not include publicly available data or data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual. This type of data is known as “de-identified data” and is not considered personal data under the CPA. 

Sensitive Data is defined as personal data that reveals any of the following:
  • Racial or ethnic origin 
  • Religious beliefs 
  • Mental or physical health condition or diagnosis 
  • Sexual orientation 
  • Citizenship or citizenship status

Sensitive data also includes any genetic or biometric data that may be processed to uniquely identify an individual, or personal data from a known child. 

How We Can Help

If you need help meeting the CPA requirements, Tevora’s team of privacy and security experts have you covered. We are continually helping organizations from every industry achieve compliance with new and emerging privacy laws. We would welcome the chance to do this for you.

Additional Resources

Talk to an Expert 

If you have questions about the CPA or would like help implementing changes in your environment to ensure CPA compliance, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.