Colorado Joins the Bandwagon, Enacts Comprehensive Privacy LawJuly 8, 2021
The year 2023 is proving to be an important year in the privacy world. Colorado recently joined an expanding list of states to have enacted comprehensive privacy laws. Colorado’s law, known as the Colorado Privacy Act, or ColoPA for short, will take effect on July 1, 2023, only six months after the Virginia Consumer Data Protection Act (“VA CDPA”) and the California Privacy Rights Act (“CPRA”) take effect on January 1, 2023. ColoPA offers many similarities to these laws, as well as to existing comprehensive privacy laws, such as the California Consumer Privacy Act of 2018 (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”). Below is a summary of the key provisions of ColoPA and how it stacks up against other comprehensive privacy laws.
ColoPA applies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that meet one or both of the following thresholds:
- Control or process personal data or more than 100,000 consumers per calendar year; or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data or at least 25,000 consumers.
ColoPA’s applicability thresholds are somewhat unique. For example, there is no threshold based solely on an entity’s gross revenue amount like under the CCPA. Rather, both thresholds are tied to personal data. While ColoPA’s applicability thresholds are similar to those in the VA CDPA, ColoPA’s second threshold is broader, encompassing receipt of discounts as well as any derivation of revenue from the sale of personal data, as opposed to VA CDPA’s threshold requiring derivation of 50% of gross revenue from the sale of personal data and not accounting for receipt of discounts.
ColoPA does not apply to (i) personal data governed by certain state and federal laws, such as HIPPA, HITECH, the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act (GLBA); (ii) state or local governments, provided the data is only used for noncommercial purposes; or (iii) personal data maintained for employment records. Additionally, like the VA CDPA, ColoPA expressly does not restrict a business’s ability to provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract.
ColoPA defines “consumer” to mean a natural person who is a Colorado resident acting only in an individual or household context in providing personal data, which is analogous to the VA CDPA’s definition of consumer. ColoPA’s definition of consumer is narrower than the comparable definitions used in the CCPA and the GDPR, and specifically excludes an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of something acting in an employment context.
Under ColoPA “personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publically available information. Like the GDPR, CPRA, and VA CDPA, ColoPA also offers specific protections to “sensitive data”, which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; or (iii) personal data of a known child (13 years old or younger).
ColoPA is similar to the GDPR and the VA CDPA in that it divvies up responsibility between two main roles: the controller and the processor. Under ColoPA, “determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed.” Further, the roles may be fluid. For example, a processor that fails to adhere to processing instructions from a controller will be a controller, not a processor, with respect to such processing.
Under ColoPA, the duties of controllers include transparency, purpose specification, data minimization, avoidance of secondary use without consumer consent, care, avoidance of unlawful discrimination, and obtaining consent to process sensitive data. The duty of transparency requires controllers to provide a reasonably accessible, clear, and meaningful privacy notice to consumers. The privacy notice must include, among other things, the categories of personal data collected or processed, the purposes for processing that data, how consumers can exercise their rights, the categories of personal data shared with third parties, the categories of third parties with whom the controller shares that data, and whether the controller sells personal data or processes personal data for targeted advertising.
Somewhat similar to the VA CDPA, the ColoPA requires controllers to perform a data protection assessment of any processing activities that present a heightened risk of harm to consumers, which includes processing for targeted advertising, profiling (if the profiling presents certain risks), the sale of personal data, or sensitive data. Colorado’s Attorney General can request and review these data protection assessments.
ColoPA requires processing by processor to be governed by a contract between the controller and processor setting forth, among other things, the processing instructions for the processor, the type of data subject to processing, confidentiality obligations, subcontracting requirements, security measure, and an audit right.
Like the comprehensive privacy laws that precede it, ColoPA grants consumers the right to make requests to (1) opt-out of certain types of processing; (2) access their personal data; (3) correct inaccuracies in their personal data; (4) delete their personal data; and (5) obtain a copy of their personal data in a portable format.
ColoPA’s opt-out rights track those in the VA CDPA and allow consumers to opt-out of processing of their personal data for purposes of targeted advertising, the sale of personal data, or for profiling the consumer in a way that produces legal or similarly significant effects on the consumer. “Targeted advertising” includes advertising to a consumer based on its activities across non-affiliated websites, but does not include, among other things, advertisements based on activities within a controller’s own website or advertisements based on the context of a consumer’s current search query, visit to a website, or online application. “Sale of personal data” means the exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party. ColoPA’s definition of “sale” aligns with the CCPA’s definition of sale and is broader than the VA CDPA’s definition of sale.
A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary. Like under the VA CDPA, a controller must also provide consumers with an appeals process if it denies a consumer’s request. The appeal process must be conspicuously available to consumers and as easy to use as the process for submitting requests. A controller has 45 days to respond to an appeal.
Enforcement and Forthcoming Rules
There is no private right of action under ColoPA. Rather, the Colorado Attorney General and district attorneys have exclusive enforcement rights. Upon receipt of a notice of violation, a controller has 60 days to cure the violation. However, the right to cure will be repealed on January 1, 2025.
The Colorado Attorney General will promulgate rules for a universal opt-out mechanism under ColoPA by July 1, 2023, and will further promulgate rules for issuing opinion letters and interpretative guidance to develop an operational framework, including a safe harbor for compliance, by July 1, 2025.
Businesses that may be subject to ColoPA, especially those that are currently subject to the CCPA and/or the GDPR and will be subject to the VA CDPA and/or CPRA, should review ColoPA and make a plan for compliance. Further, businesses may want to consider consolidating compliance efforts to comply with all upcoming privacy legislation taking effect in 2023. If you would like assistance, or have any questions about, complying with ColoPA or the myriad of other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.