A Deep Dive Into The Colorado Privacy Act
February 1, 2024
By: Chris M. Spurr
Synopsis: In the absence of federal legislation, Colorado recently joined a growing number of states with its own comprehensive privacy law. The Colorado Privacy Act (CPA), effective July 1, 2023, is equal parts consumer protection and compliance blueprint. This article provides consumers and business owners with the information needed to assess their rights and compliance obligations under the CPA. At first glance, the CPA is relatively straightforward. As with all legislation, however, judicial interpretation, exceptions, and omissions are as important as the text itself. In future articles, attorney Chris Spurr, CIPM/US-CIPM will focus on the CPA’s omissions and distinctions as compared to other comprehensive state laws – a crucial exercise in the age of cross-border commerce and patchwork regulations.
Colorado Privacy Act Generally: Put simply, the CPA grants Colorado consumers various rights regarding their personal data and imposes obligations on certain entities in contact with such information. On the consumer side (often referred to as “data subjects” in the context of privacy), the rights involve access, deletion, correction, and additional controls in certain circumstances. With respect to entities with compliance obligations, the law requires certain businesses, nonprofits, and other entities to inform consumers how they use personal data, and to take precautions that will reduce the risk of data collection from harming consumers. Finally, the law grants the attorney general the authority to hold entities accountable for failing to comply. Though progressive in some respects, the CPA does not contain a private right of action.
Threshold applicability, specifics, and exceptions are as follows:
Applicability: The CPA applies to controllers (defined below) that: (i) conduct business in Colorado (regardless of physical location); or (ii) produce or deliver commercial products or services that are targeted towards Colorado residents, and either:
- Control or process personal data of 100,000 or more Colorado consumers during a calendar year; or
- Derive revenue or receive discounts on the price of goods or services from the sale of personal data, provided that the entity also processes or controls the personal data of 25,000 or more Colorado consumers.
In this context, and in contrast with other laws, “personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” It does not include de-identified data or publicly available information.
“Controllers” are entities that determine the purpose and means of processing personal data, while “consumers” are Colorado residents acting in an individual or household capacity. Notably, “consumer” does not include Colorado residents acting in a commercial or employment context. Additionally, note that “process” includes not only data collection, but also its storage. As a result, the reference to “calendar year” in the above requirements is somewhat misleading. Though there is technically an annual “clock” that resets the numerical threshold for Colorado consumers (i.e. 100,000 or 25,000 when the revenue requirement is met), the numerical threshold for each calendar year includes information gathered in previous years but presently stored. As a result, sound data life cycle management and destruction principles are no longer just a way to minimize existing exposure. Rather, they offer a potential way to circumvent the CPA’s applicability altogether.
As to the revenue requirement where an entity collects data on less than 100,000 but more than 25,000 consumers, a “sale” is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” The definition contains exceptions such as the disclosure of personal data to a processor that processes personal data on behalf of a controller, and the disclosure of personal data to third parties that provide a product or service requested by the consumer.
Unlike other states, Colorado does not have a separate revenue threshold that triggers applicability regardless of the amount of data subjects. For example, the California Consumer Privacy Act includes a separate revenue threshold trigger of $25,000,000, whereby the privacy law is applicable even if the number of data subjects is nominal. CPA has no such requirement. Rather, the CPA is predicated on the amount of Colorado residents that an entity has personal data about, with the revenue considerations merely dictating the applicable data subject threshold. As a result, Colorado entities are not able to avoid compliance where other thresholds are met simply because revenue is nominal.
Note, however, that even if an entity satisfies the threshold requirements above, it may still be exempt for various reasons. For example, the CPA may not apply to entities or even specific data sets that are subject to other preemptive regulations (such as financial institutions subject to the Gramm-Leach-Bliley Act, and many types of healthcare-related data). As a result, an entity may find itself with distinct compliance obligations applicable to only certain arms of the business or a portion of its data. Such determinations require a fact-based analysis with the advice of counsel.
Consumer Rights: If applicable, the CPA grants various rights to consumers, the most notable of which are as follows:
Right to Opt-Out: If applicable, consumers may opt-out of: (i) targeted advertising (defined below); (ii) the sale of their personal data; and (iii) certain types of profiling based upon their data. The right to opt-out of targeted advertising and profiling drew significant ire from marking and data analyst professionals.
“Targeted advertising” is essentially any advertisement displayed to a consumer based on personal data obtained or inferred from the consumer’s activities across nonaffiliated products or services when that data was used to predict consumer preferences or interests. That said, full analysis of what constitutes targeted advertising is nuanced and should be discussed with counsel. If you think your entity may engage in targeted advertising, we recommend confirming with counsel so you can timely respond to a consumer’s opt-out request.
Sometimes referred to as automated decision-making, “profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified (or identifiable) individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Businesses engaged in targeted advertising or profiling should be mindful that, in addition to the CPA’s statutory requirements, public sentiment will likely force policymakers to further restrict these activities. It is important for businesses to understand what practices they engage in, both for the purpose of processing consumer requests and to ensure their practices align with larger organizational goals.
In addition, a consumer may also opt-out of a controller’s prospective sale of personal information. Note that consumers may prevent the exchange of their data for monetary or other considerations. Consumers, however, may be disappointed to learn that certain exceptions partly swallow the rule. Data transfers to affiliates, transfers made for the purpose of providing a product or service requested by the consumer, and data exchanges that are part of M&A and other transactions are generally excepted.
As to the opt-out mechanism itself, beginning on July 1, 2024, the consumers may use a universal opt-out mechanism to communicate their opt-out choice to multiple businesses using one method, rather than requiring consumers to opt-out of data collection on a case-by-case basis. The current list of approved universal opt-out mechanisms may be found here. Otherwise, entities should adopt an opt-out mechanism that is consumer-friendly, clearly described, and easy to use by the average consumer.
Right of Access: In addition to the opt-out rights described above, consumers may also confirm whether a controller is processing its personal data. If so, the consumer may also demand access to the data. This right of access includes any final profiling decisions, inferences, derivative data, and other personal data created by the controller that is linked or reasonably linkable to an identified or identifiable individual. Entities subject to the CPA are advised to maintain data inventories that may be referenced when handling such requests.
Right to Correction: Consumers have the right to correct inaccuracies in their personal data. The legislature, however, placed parameters on this right by indicating that the nature of the consumers’ data and the purpose of its processing may serve as factors when evaluating the request.
Right to Deletion: Consumers have the right to delete their personal data, including not only what was supplied directly by the consumer, but also data that “concerns” them.
Right to Data Portability: Finally, when accessing their data, a consumer has a right to receive the data in a portable format. Additionally, to the extent technically feasible, the data must be provided in a “readily usable” format that allows the consumer to transmit that data to another entity. These changes may create a considerable burden on controllers when responding to access requests, and entities must be careful not to disclose trade secrets in the process. As a result, early adoption of data management best practices is likely to prove cost-effective in the long run.
Controller Obligations: In addition to the consumer rights described above, the CPA imposes several obligations on entities that are subject to the law. Notable examples include:
Consent: The CPA requires affirmative consent to process sensitive data. “Sensitive data” includes: (i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of identifying an individual; and (ii) the personal data of a known child. For sensitive data collected prior to July 1, 2023, businesses may rely on consent obtained before that date to continue processing. Without valid consent prior to July 1, 2023, an entity has until January 1, 2024 to obtain the subject’s consent to process previously-collected sensitive data. There is no similar grace period for obtaining consent for data collected after July 1, 2023.
A distinction, however, exists for inferences from sensitive data. Such inferences may be processed without consent if, among other requirements, the inferences are deleted within 24 hours of processing. Even then, a controller must disclose the sensitive data inferences to the data subject. Moreover, to implement this type of “consent-free” limited processing, relevant details of the entities’ data retention and deletion policies must also be disclosed in a Data Protection Assessment, discussed below.
As for operational compliance, consumer consent must be “refreshed” when a consumer has not interacted with the controller in the last 12 months, and the controller is either processing (a) sensitive personal data, or (b) data for a secondary use that involves profiling and could have a significant effect on the consumer. Examples of decisions with “significant effect” are often found in the context of financial, insurance, education, and healthcare activities.
Collection Restrictions: Whether or not consent is required, the CPA requires entities to do the following before collecting personal data: (i) specify the express purpose for which personal data are collected and processed (duty of purpose specification); (ii) restrict data collection to data that is “adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed” (i.e., a duty of data minimization); (iii) not process personal data for purposes that are not reasonably necessary or compatible with the specified purposes for which the data were collected without consumer consent (i.e., a duty to avoid secondary use); and (iv) properly secure personal data (i.e., a duty of care).
Posted Privacy Notice: Moreover, entities subject to the CPA must have an easily accessible, understandable, and consumer-facing privacy notice available to consumers. Rather than providing specific disclosures for each purpose, controllers need only connect the processing purpose with the categories of personal data processed in a way that provides consumers a “meaningful understanding” of how their data will be used. Covered topics include:
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with whom the personal data is shared; and
- If personal data is sold to third parties or processed for targeted advertising, then the Privacy Notice must disclose such sale or processing and state how a consumer may exercise the right to opt-out of the sale or processing.
Privacy Notices will be discussed in detail in future blog posts. In the meantime, entities subject to the CPA are advised to get in touch with privacy counsel to implement a Privacy Notice that is narrowly tailored to its unique business and collection practices. In an age of artificial intelligence and publicly available information, it may be tempting to repurpose a Privacy Notice found elsewhere. However, businesses must be aware that its Privacy Notice functions as a binding contract with its consumers. As a result, a Privacy Notice that does not reflect business practices and compliance obligations is likely to be viewed as a deceptive trade practice and ultimately do more harm than good.
Once implemented, businesses must notify consumers of substantive or material changes to their privacy notices, such as changes to categories of personal data processed, processing purposes, sharing data, and consumer privacy rights. Additionally, when processing personal data for a “secondary use” (i.e., a use that differs from the originally disclosed use), controllers must now obtain new consent from consumers before processing such previously collected data.
Data Protection Assessments: Finally, entities subject to the CPA must be familiar with the concept of data protection assessments. A data protection assessment is a process that examines the benefits that flow from processing data to the controller, the consumer, and the public as compared with the potential risk to consumers. Prior to engaging in processing that presents a heightened risk of harm to consumers (such as targeting advertising, profiling, and processing sensitive data), controllers must conduct and document its activities via formal data protection assessments. Considerations include the sources of personal data, the reasonable expectations of consumers, and the safeguards embedded in technology used in processing. The assessment’s findings must ultimately be memorialized in a written document. The concept of data protection assessments (and related data protection impact assessments) is cropping up throughout many jurisdictions. Fortunately, the CPA provides that a data protection assessment under another jurisdiction’s laws is sufficient if “reasonably similar in scope and effect.”
Enforcement: Unlike more progressive data laws, the CPA does not include a private right of action. Instead, the Attorney General and district attorneys have exclusive enforcement authority. Mechanisms of enforcement include injunctive relief and/or significant monetary damages. Non-compliance with the law may be considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation and up to $500,000 for a series of violations.
Currently, the CPA provides a 60-day cure period. However, this cure period will only be available until January 1, 2025. After which, the right to cure will sunset. Controllers are wise to use the interim period shoring up their compliance practices with the advice of counsel.
Conclusion: All said, the CPA signals a shift towards pro-consumer protection in a historically unregulated field. The law is notable for both what it is, and what it is not. Just as an artist makes use of negative space to draw the viewer’s eye and frame a subject, the CPA’s statutory omissions provide a useful lens by which to interpret the text. In future articles, we will examine CPA’s omissions as contrasted with other state privacy laws. In an age of patchwork regulations and cross-border commerce, where privacy compliance obligations run in tandem, it is important to examine distinctions and prioritize accordingly.