Colorado: Analysing controller obligations under the Colorado Privacy Act
On 7 July 2021, Colorado State Governor, Jared Polis, signed the Colorado Privacy Act ('CPA') into law. As with other privacy laws, the CPA is primarily focused on creating obligations for entities that determine the purpose and means for processing personal data. David Stauss, Partner at Husch Blackwell LLP, focuses on identifying the obligations, which include providing privacy notices, responding to consumer requests, securing personal data, entering into contracts with data processors, and conducting Data Protection Assessments ('DPAs').
The CPA will go into effect on 1 July 2023. Entities that fail to comply with its requirements risk regulatory fines and penalties through Attorney General ('AG') or district attorney investigations.
What is a controller?
A controller is 'a person that, alone or jointly with others, determines the purposes for and means of processing personal data'. 'Person' is defined in Colorado law to mean 'an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity'. The definition does not exclude (nor does the CPA otherwise exclude) non-profit organisations.
Controllers are to be distinguished from processors, which the law defines as 'a person that processes personal data on behalf of a controller'. In some relationships it may be difficult to distinguish between controllers and processors. Those familiar with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') will know that the European Data Protection Board ('EDPB') has issued extensive guidance on this issue. The CPA briefly touches on this point noting that '[d]etermining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed'.
It must be borne in mind that the CPA does not apply to all organisations. Rather, it applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either: (i) control or process the personal data of 100,000 or more 'consumers' during a calendar year; or (ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers.
'Consumer' is defined as a Colorado resident acting only in an individual or household context. It does not include individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
Certain types of entities and data sets are entirely excluded from the CPA, such that it is important for organisations to first analyse whether they are subject to the law before undertaking any compliance efforts.
What duties does the CPA create for controllers?
The CPA sets forth seven duties for controllers:
- Duty of transparency.
- Duty of purpose specification.
- Duty of data minimisation.
- Duty to avoid secondary use.
- Duty of care.
- Duty to avoid unlawful discrimination.
- Duty regarding sensitive data.
The duty of transparency requires controllers to provide a 'reasonably accessible, clear, and meaningful privacy notice' that identifies the: (i) categories of personal data collected or processed by the controller or a processor; (ii) purposes for which the categories of personal data are processed; (iii) how and where consumers may exercise the rights created by the CPA (discussed below), including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request; (iv) categories of personal data that the controller shares with third parties, if any; and (v) categories of third parties, if any, with whom the controller shares personal data. In addition, if a controller sells personal data or processes personal data for targeted advertising, it must 'clearly and conspicuously' disclose that fact and the manner in which a consumer may exercise the right to opt out of the sale or processing.
The duty of purpose specification requires controllers to specify the express purposes for which personal data are collected and processed, presumably through the privacy notice. The related duty to avoid secondary use forbids controllers from processing personal data for purposes that are not reasonably necessary to or compatible with that specified purpose. Controllers also must restrict their personal data collection to data that is 'adequate, relevant, and limited to what is reasonably necessary to the purpose for which the data are identified' (duty of data minimisation).
The duty of care requires controllers to take 'reasonable measures to secure personal data during both storage and use from unauthorized acquisition'. Those practices 'must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business'. It should be noted that existing Colorado law (§6-1-713.5 of Part 7 of Article 1 of Title 6 of the Colorado Revised Statutes) requires businesses to 'implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations'.
The duty to avoid unlawful discrimination prohibits controllers from processing personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
Finally, the duty regarding sensitive data requires controllers to obtain a consumer's consent (or the consent of a minor's parent or legal guardian) prior to processing sensitive data. Sensitive data is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. It also includes genetic or biometric data that may be processed for the purpose of uniquely identifying an individual and personal data from a known child.
What consumer rights does the CPA create?
The CPA requires controllers to provide for and honour certain consumer requests. First, controllers must allow consumers to opt out of targeted advertising, the sale of personal data, and certain types of profiling. Controllers also must allow consumers to access, correct, and delete their personal data. For the right to access, controllers must provide the personal data in a portable format. Controllers must provide information about how to exercise these rights in a privacy notice.
From 1 July 2024, controllers that process personal data for purposes of targeted advertising or sales must allow consumers to exercise the right to opt out of that processing through a user-selected universal opt-out mechanism. The Colorado AG is required to promulgate regulations identifying the technical specifications for that mechanism.
Do controllers need to enter into data processing agreements?
Yes. If controllers transfer personal data to processors, they must enter into a contract that sets out the processing instructions to which the processor is bound, identifies the personal data subject to the processing, and specifies the duration of the processing. The contract also must require processors to implement appropriate security measures, ensure for the confidentiality of the data, enter into appropriate subprocessing contracts, delete or return data at the conclusion of the relationship, make available all necessary information to demonstrate compliance with these provisions, and allow for certain types of audits.
What is a DPA?
Before engaging in processing that presents a 'heightened risk of harm to a consumer', controllers must conduct and document a data protection assessment. Processing activities that create a heightened risk of harm include: (i) processing for purposes of targeted advertising or for certain types of profiling; (ii) selling personal data; and (iii) processing sensitive data.
DPAs are required to 'identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks'.
David Stauss Partner
Husch Blackwell LLP, Denver