Colorado - Data Protection Overview
1. Governing Texts
The Colorado State Governor signed, on 7 July 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy, otherwise known as the Colorado Privacy Act ('CPA'), which was re-passed, on 8 June 2021, by the Colorado Senate following their consideration of amendments made to the CPA by the Colorado House of Representatives. In particular, the CPA will enter into effect on 1 July 2023.
This Guidance Note provides an overview of the CPA.
The CPA regulates privacy and data protection matters in Colorado.
As the CPA has not yet entered into force, the Attorney General of Colorado ('AG') has not yet issued any guidance.
1.3. Case law
2. Scope of Application
The CPA applies to controllers that conduct business, produce, or deliver commercial products or services that are intentionally targeted to Colorado residents and that satisfied one or both of the following threshold, namely: (§6-1-1304(1) of the CPA):
- control or process personal data of 100,000 consumers or more per calendar year; or
- derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The CPA applies to controllers that conduct business or produce or deliver commercial products or services that are intentionally targeted to Colorado residents (§6-1-1304(1) of the CPA).
The CPA applies to personal data which is defined as information that is linked or reasonably linkable to an identified or identifiable individual (§6-1-1303(17)(a) of the CPA).
The CPA does not apply to certain personal data governed by listed state and federal laws such as certain protected health information, certain healthcare information, among others, and listed activities, and employment records (§6-1-1304(2) of the CPA).
Moreover, when processing de-identified data, the CPA does not require a controller or processor to do any of the following solely for purposes of complying with the CPA (§6-1-1307(1) of the CPA):
- reidentify de-identified data;
- comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to §6-1-1306(1) of the CPA, if all of the following are true:
- the controller is not reasonably capable of associating the request with the personal data; or
- it would be unreasonably burdensome for the controller to associate the request with the personal data;
- the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
- the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorised by the consumer; or
- maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.
Furthermore, the rights contained in §6-1-1306 (1)(b) to (1)(e) of the CPA do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organisational controls that prevent the controller from accessing the information (§6-1-1307(3) of the CPA).
3.1. Main regulator for data protection
The AG is the regulator within Colorado.
3.2. Main powers, duties and responsibilities
The CPA provides that the AG and/or District Attorney ('DA') with the power to enforce the CPA (§6-1-1311 of the CPA).
Moreover, the CPA notes that the AG may promulgate rules for the purposes of establishing an opt-out mechanism and is required to do so by 1 July 2023. Please note that from 1 July 2024 data controllers are required to allow consumers to exercise their right to opt-out where their personal data is processed for the purposes of targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism that meets the technical specifications established by the AG (§6-1-1313 of the CPA).
In addition, the CPA outlines that by 1 January 2025, the AG may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defence of an action that may otherwise constitute a violation of the CPA. The rules must become effective by1 July 2025 (§6-1-1313(3) of the CPA).
Furthermore, as per §6-1-107 of the CPA, when the AG or a DA has reasonable cause to believe that any person, whether in Colorado or elsewhere, has engaged in or is engaging in any deceptive trade practice have the following powers:
- to issue subpoenas (§6-1-108 of the CPA);
- restraining order or injunctions ((§6-1-110 of the CPA).
4. Key Definitions
Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.as used in (Section 17(b) of the CPA).
In addition, publicly available information means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public (§6-1-1303(17)(a) of the CPA).
Sensitive data: The CPA defines 'sensitive data' as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child (6-1-1303(24) of the CPA).
Pseudonymisation: The CPA defines 'pseudonymous data' as personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to a specific individual (§6-1-1303(22) of the CPA).
Data subject: The CPA does not provide a definition for 'data subject' but instead refers to 'consumers', which are defined as individuals who are a Colorado resident acting only in an individual or household context, and does not include an individual acting in a commercial or employment context as a job applicant, or as a beneficiary or someone acting in an employment context (§6-1-1303(6) of the CPA).
5. Legal Bases
The CPA defines 'consent' as a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent (§6-1-1303(5) of the CPA):
- hovering over, muting, pausing, or closing a given piece of content; and
- agreement obtained through dark patterns.
The obligations imposed under the CPA do not restrict a controller or processor's ability to provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract (§6-1-1304(3)(a)(VIII) of the CPA).
The obligations imposed under the CPA do not restrict a controller or processor's ability to (§6-1-1304(3)(a)(I) to (III) of the CPA):
- comply with federal, state, or local laws, rules, or regulations;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
- cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law.
The CPA provides that the obligations imposed on controllers or processors do not restrict their ability to process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing (§6-1-1304(3)(a)(XI) of the CPA):
- is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
- is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.
While the CPA does not expressly address the processing of data for the legitimate interest of the controller, it indirectly provides that the CPA’s obligation on controllers and processors do not restrict their ability to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action (§6-1-1304(3)(a)(X) of the CPA).
The CPA outlines data protection principles including the following(§6-1-1308 (1-5) of the CPA):
- Duty of transparency: providing consumers with a reasonably clear, accessible, and meaningful privacy notice;
- Duty of purpose specification: specifying the express purposes for which personal data will be collected and processed;
- Duty of data minimisation: collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
- Duty to avoid secondary use: not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
- Duty of care: taking reasonable measures to secure personal data both in storage and authorisation acquisition; and
- Duty to avoid unlawful discrimination: not to process personal data which violates laws that prohibit unlawful discrimination against consumers.
In addition, the CPA requires data controllers to adhere to the following obligations (§6-1-1308(2)-(7) of the CPA):
- collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
- not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
- taking reasonable measures to secure personal data;
- not to process personal data which violates laws that prohibit unlawful discrimination against consumers; and
- not to process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.
7. Controller and Processor Obligations
The CPA outlines that where more than one controller or processor, or both a controller and a processor, involved in the same processing violates the CPA, the liability shall be allocated among the parties according to principles of comparative fault (§6-1-1310 of the CPA).
The CPA does not address the transfer of personal data. Instead, and regarding de-identified data, it highlights that a controller or processor is not required to comply with an authenticated consumer rights request if they do not sell personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorised by the consumer (§6-1-1307(1)(b)(III) of the CPA).
The CPA notes that a controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that present a heightened risk of harm to a consumer (§6-1-1309(1) of the CPA). For purposes of §6-1-1309 of the CPA, 'processing that presents a heightened risk of harm to a consumer' includes the following (§6-1-1309(2) of the CPA):
- processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial or physical injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers;
- selling personal data; and
- processing sensitive data.
In addition, the CPA notes that data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§6-1-1309(3) of the CPA).
Controllers are also required to make data protection assessments available to the AG upon request. The AG may evaluate the data protection assessments for compliance with the duties contained in Section 6-1-3108 of the CPA and other laws regards to compliance with the duties contained in the CPA (§6-1-1309(4) of the CPA)
Moreover, the CPA outlines that single data protection assessments may address a comparable set of processing operations that include similar activities (§6-1-1309(5) of the CPA).
Please note that data protection assessment requirements apply to processing activities created or generated after 1 July 2023 and are not retroactive (§6-1-1309(6) of the CPA).
In the case of the processing of personal data concerning a known child, the CPA outlines that such data cannot be processed without first obtaining consent from the child's parent or lawful guardian (§6-1-1308(7) of the CPA).
The CPA states that a controller shall not process a consumer's sensitive data without first obtaining the consumer's consent (§6-1-1308(7) of the CPA).
The CPA outlines that processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under the CPA taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by (§6-1-1305(2) of the CPA):
- taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to §6-1-1306 of the CPA;
- helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to §6-1-716 of the CPA; and
- providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by §6-1-1309 of the CPA the controller and processor are each responsible for only the measures allocated to them.
Moreover, the CPA notes that in no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the CPA (§6-1-1305(6) of the CPA).
8. Data Subject Rights
In accordance with §6-1-1308(1)(a) to (b) of the CPA, controllers must provide consumers with a privacy notice that includes:
- the categories of personal data collected or processed by the controller or a processor;
- the purposes for which the categories of personal data are processed;
- how and where consumers may exercise the rights pursuant to §6-1-1306 of CPA, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with whom the controller shares personal data; and
- if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.
A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data (§6-1-1306(1)(b) of the CPA).
A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data (§6-1-1306(1)(c) of the CPA).
A consumer has the right to delete personal data concerning the consumer (§6-1-1306(1)(d) of the CPA).
A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of (§6-1-1306(1)(a) of the CPA):
- targeted advertising;
- the sale of personal data; or
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Moreover, a consumer may authorise another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in §6-1-1306(1)(a)(i) of the CPA, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. a controller shall comply with an opt-out request received from a person authorised by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorised agent's authority to act on the consumer's behalf (§6-1-1306(1)(a)(II) of the CPA).
A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to §6-1-1306(1)(a)(i) of the CPA. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under the CPA, and in a clear, conspicuous, and readily accessible location outside the privacy notice (§6-1-1306(1)(a)(III) of the CPA).
When exercising the right to access personal data pursuant to §6-1-1306(1)(b) of the CPA, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in §6-1-1306(1)(e) of the CPA requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets (§6-1-1306(1)(e) of the CPA).
Please see section on the right to object/opt-out above.
The CPA does not authorise a private right of action for a violation of its provisions of law. §6-1-310(1) of the CPA neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including the CPA, the Constitution of the State of Colorado , or the United States Constitution (6-1-1310(1) of the CPA).
The AG and DA have exclusive authority to enforce the CPA by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this CPA, including seeking an injunction to enjoin a violation of the CPA (§6-1-1311 of the CPA).
Prior to any enforcement action pursuant to (§6-1-1311(1)(a) of the CPA of the CPA, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within 60 days after receipt of the notice of violation, an action may be brought pursuant to this section. Please note that §6-1-1311(1)(d) of the CPA is repealed, effective 1 January 2025 (§6-1-1311(1)(d) of the CPA).