For companies who have been closely monitoring news about consumer data privacy laws, the CPA may not surprise them. However, it isn’t an exact copy of the CPRA or VCDPA. Businesses will have to evaluate whether the new Colorado data privacy law applies to them. If the CPA does apply to their business and they choose not to follow obligations under the CPA, businesses may face injunctions and civil penalties.
Who Needs to Comply with the CPA?
The CPA applies to any legal entity that conducts business or delivers products or services targeted to Colorado residents and:
- Controls or processes the personal data of at least 100,000 Colorado residents each year, or
- Earns revenue or receives a discount on goods or services from selling personal data and processes or controls the personal data of at least 25,000 Colorado residents.
Unlike other consumer data privacy laws, the new Colorado data privacy law doesn’t provide a revenue threshold.
Important Definitions
Controllers are those that decide the purpose and means of processing personal data. Processors process personal data for a controller.
Under the CPA, personal data is any information unavailable to the public or can reasonably be linked to an identifiable person.
The law also protects sensitive data, which includes any data demonstrating a person’s race, ethnic origin, and religious beliefs. This data also includes mental or physical health condition, sexual orientation, sex life, citizenship, and genetic or biometric data. Personal data of a known child is also sensitive data
Controller Obligations Under the CPA
Generally, the new Colorado data privacy law requires controllers to:
- Give consumers a reasonably accessible, clear, and meaningful privacy notice
- Specify the purpose for collecting and processing personal data
- Avoid using the personal data in a way not reasonably necessary for their specified purpose
- Collect and use only the data reasonably necessary for their purpose
- Implement security measures appropriate to the personal data they collect and process
- Not process personal data in violation of state or federal anti-discrimination laws
- Not process personal data without consent
- Conduct data protection assessments for high-risk processing activities
- Establish contracts with processors that outline the processors’ responsibilities
Companies need to comply with these obligations by July 1, 2023.
Though these requirements are similar to CPRA and VCDPA, they aren’t identical. There are differences with opt-out rights, opt-out signals, sensitive data requirements, data protection assessments, contract requirements, consumer appeals, and more.
Consumers’ Rights Under the CPA
Consumers have a right to:
- Confirm whether a controller processes personal data about the consumer and access their personal data
- Correct mistakes in their personal data
- Delete their personal data
- Obtain personal data in a portable and readily usable format that allows them to transmit the data to another entity
- Opt out of the processing of their data for targeted advertising, the sale of personal data, and profiling for decisions that produce legal or other significant effects
- Appeal a decision if a business denies the consumer’s request or fails to act
These are similar to California and Virginia’s laws. However, Colorado consumers can only use an authorized agent to opt out of sale requests. Also, Colorado requires a universal opt-out, while California makes this optional.
Consumer Access Requests
When a consumer makes an access request, businesses have 45 days to respond. Businesses can extend their time by another 45 days. If the company doesn’t act or refuses to act, it has to give the consumer an appeals process. Virginia also requires an appeal process in its consumer privacy law.
The consumer can contact the attorney general if they have concerns.
Exemptions
There are exemptions. For example, the CPA doesn’t apply to:
- Certain activities regulated by the Fair Credit Reporting Act
- Certain financial institutions and their affiliates
- Personal data protected by certain federal and state privacy laws
- Data maintained for employment records purposes (human resources data)
Colorado’s exemptions differ from California and Virginia’s exemptions. As a result, businesses that have to comply with one state’s law may not have to comply with another.
Enforcement for the New Colorado Data Privacy Law
The Colorado state attorney general and district attorneys will enforce the CPA through injunctions and civil penalties. What’s unique about the CPA is that it gives a longer period to cure a violation than California and Virginia. The CPA gives 60 days from the date of notice. However, this provision expires on January 1, 2025. At that point, enforcement can be immediate.
The CPA doesn’t provide specific fines. Instead, violations are deceptive trade practices under the Colorado Consumer Protection Act. The act provides for fines up to $20,000 per violation.
While businesses will have to worry about enforcement with the attorney general, they won’t have to fear private litigation. The law specifically doesn’t create a cause of action. Consumers won’t be able to sue a company for violating the CPA.
