Colorado: Analysing the Colorado Privacy Act
On 7 July 2021, the Colorado Governor, Jared Polis, signed the Senate Bill 21-190 for the Colorado Privacy Act1 ('CPA') into law. Colorado joins California and Virginia as the only states – so far – to enact broad consumer privacy legislation. David Stauss, Partner at Husch Blackwell LLP, discusses the history of the CPA, provides an overview of its requirements, and compares some of its provisions to the laws in California and Virginia.
History of the CPA
Colorado lawmakers initially introduced the CPA in the Senate on 19 March 2021. As introduced, the bill closely mirrored the Washington Privacy Act and Virginia Consumer Data Protection Act ('CDPA'), though it contained several unique provisions.
Although the CPA boasted bipartisan support, it did not receive a committee hearing until 5 May 2021, when the Senate Business, Labor & Technology Committee unanimously passed the bill out of committee after making a number of pro-business changes. Most of those changes were short-lived as the Colorado Senate passed a significantly amended version of the bill on 26 May 2021.
The CPA had an easier path in the House, which passed a slightly amended version of the bill by a vote of 57-7 on 7 June 2021. The next day, the Senate concurred in the amendments, and the Governor signed the bill into law on 7 July 2021.
Notably, Governor Polis issued a signing statement2 explaining that the law will require 'clean-up' in 2022 and that stakeholders were already working on amendments.
The CPA will go into effect on 1 July 2023.
The CPA applies to 'controllers' that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either: (i) control or process the personal data of 100,000 or more consumers during a calendar year; or (ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more consumers.
The CPA defines 'consumers' to mean Colorado residents acting only in an individual or household context. It does not include Colorado residents acting in a commercial or employment context.
Personal data is defined as 'information that is linked or reasonably linkable to an identified or identifiable individual'. It does not include de-identified data or publicly available information.
When determining whether the law applies, businesses should note that the CPA does not have a monetary threshold for applicability similar to the California Consumer Privacy Act of 2018's ('CCPA') $25,000,000 annual gross revenue threshold. Further, the CPA's 100,000/25,000 consumer thresholds apply to personal data that is either controlled or processed. The CPA defines 'process' to include not only data collection, but also its storage. In other words, businesses will need to be mindful of counting the data that they currently store, not just what they collect on an annual basis.
The CPA also has a unique approach to entities that sell personal data. For context, the CCPA applies to entities that derive 50% or more of their annual revenues from selling consumer's personal information. In 2023, the California Privacy Rights Act ('CPRA') will broaden this to entities that derive 50% or more of their annual revenues from selling or sharing personal information. In turn, the CDPA applies to entities that control or process the personal data of 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
In comparison, the CPA applies where an entity derives any revenue or receives a discount from the sale of personal data and processes or controls the personal data of 25,000 or more consumers. Stated differently, the CPA sets a much lower threshold for applicability for entities that sell personal data than the California and Virginia laws.
As with the CCPA/CPRA and the CDPA, the CPA contains a number of exceptions. For example, it does not apply to certain types of entities and data sets such as financial institutions subject to the Gramm-Leach-Bliley Act of 1999, many types of health care-related data, and data governed by the Family Educational Rights and Privacy Act of 1974 ('FERPA'). However, in a significant change from the California and Virginia laws, the CPA does not exclude nonprofits.
The CPA provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Starting from 1 July 2024, controllers will need to honour user-selected universal opt-outs for targeted advertising and sales. Colorado residents also have the rights to access, correct, and delete their personal data, as well as the right to data portability. Controllers will generally have 45 days to respond to consumer requests.
Controllers also will need to provide a 'reasonably accessible, clear, and meaningful privacy notice' that identifies information such as the categories of personal data that are collected or processed, the purposes for which the data are processed, how consumers can exercise their rights, and disclosures around the selling and sharing of personal data.
As with the CDPA, controllers must obtain consumer consent prior to processing sensitive data. The CPA defines sensitive data to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal data of a known child.
Colorado's definition of sensitive data is slightly more restrictive than the CDPA's definition, which also includes precise geolocation. The CCPA does not have a sensitive data designation. The CPRA will have such a designation, and it will be defined broader than in both Colorado and Virginia. That said, in California, businesses will not need to obtain consent for the collection of sensitive data. Instead, businesses will need to allow consumers the ability to restrict the business's use of sensitive data if the business uses it for purposes outside of those deemed acceptable.
The CPA also requires controllers to: (i) specify the express purpose for which personal data is collected and processed (duty of purpose specification); (ii) restrict their data collection to data that is 'adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed' (duty of data minimisation); (iii) not process personal data for purposes that are not reasonably necessary or compatible with the specified purposes for which the data were collected without consumer consent (duty to avoid secondary use); and (iv) properly secure personal data (duty of care).
Data protection agreements
Controllers will need to enter into data processing agreements ('DPAs') with processers. Among other things, DPAs must: (i) contain processing instructions, including the nature and purpose of the processing; (ii) identify the type(s) of personal data that will be processed; (iii) bind processors and their employees to confidentiality; (iv) require processors to implement appropriate security measures to protect personal data; (v) address the return or deletion of personal data; (vi) require processors to allow for audits; and (vii) require processors to enter into similar contracts with sub-processors. Privacy professionals will, of course, recognise many of these concepts from Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The CPRA and the CDPA contain similar (although not identical) requirements.
Ultimately, entities that are subject to one or more of these laws will need to develop a strategy for drafting and negotiating DPAs. This strategy will likely include adding other provisions into DPAs such as those addressing liability and data breach notification.
Data protection assessments
Prior to engaging in processing that presents a heightened risk of harm to consumers, controllers must conduct and document data protection assessments. This includes processing personal data for targeted advertising or sales, certain types of profiling, and processing sensitive data.
Data protection assessments must identify and weigh the benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of consumers associated with the processing.
The Attorney General ('AG') can request data protection assessments; however, such a request does not constitute a waiver of the attorney client privilege or work product protection (thereby implying that assessments can be so protected).
The AG and district attorneys have exclusive authority to enforce the CPA and can seek injunctive relief or monetary damages. There is no private right of action.
Initially, the CPA will require the AG or district attorneys to issue a notice of violation and allow entities 60 days to cure the alleged violation – i.e., a right to cure. The right to cure will sunset on 1 January 2025. In lieu of a right to cure, controllers will be able to request opinion letters and interpretative guidance from the AG's office.
Impact on covered organisations
Entities that are subject to multiple laws will need to drive compliance with their various requirements, as well the requirements of any applicable foreign laws such as GDPR. The laws in Colorado and Virginia are similar enough that separate compliance modules will not be needed. Entities subject to the CCPA/CPRA will need to undertake additional effort to identify gaps; however, the Colorado/Virginia and California models can be thought of as complimentary laws and a single compliance module can likely be designed for covered entities.
Finally, the passage of the CPA must be understood in the larger context of the growing number of states passing consumer privacy laws. Although there are still only three states with such laws, there can be little doubt that other states will follow in the coming years. Indeed, in 2021 alone, over half of the states considered passing such legislation.
The true test will be whether other states follow the CCPA/CPRA or CPA/CDPA models or whether they pass entirely different legislation (such as the Washington People's Privacy Act or the Uniform Law Commission's Uniform Personal Data Protection Act). If that occurs, multi-state compliance could become more difficult and the drumbeats for passing federal privacy legislation will no doubt grow louder.
David Stauss Partner
Husch Blackwell LLP, Denver
1. Available at: https://leg.colorado.gov/bills/sb21-190
2. Available at: https://cochamber.com/wp-content/uploads/SB21-190-Signing-Statement.pdf