Background

Over the past few years, businesses had to expand and upgrade their compliance programs substantially to address requirements in accordance with the CCPA as amended. As other states adopt laws similar to the CCPA as amended, businesses seek to leverage their California-focused compliance measures to address additional requirements. Many find it helpful to explore new laws in other states from the perspective of similarities and differences to California law.

Businesses that have implemented measures to comply with the CCPA as amended can leverage some of their existing vendor contract terms, website disclosures, and data subject rights response processes to satisfy requirements under the CPA. However, the CPA and the Colorado Privacy Act Rules ('CPA Rules') contain requirements that may warrant taking a CPA-specific approach to compliance.

Who and what data is protected?

The CPA protects 'consumers', which the statute defines as Colorado residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection. The CPA Rules specify in some detail who is not an employee, including an individual who is customarily engaged in an independent trade, occupation, profession, or business related to the service performed. Protected information under the CPA includes information that is linked or reasonably linkable to an identified or identifiable individual, but does not include such data that is de-identified or publicly available. Colorado's focus on individual or household activities contrasts with the CCPA as amended, which explicitly protects California residents' personal information in the employment and human resources context and business-to-business activities.

Like the CCPA as amended, the CPA includes exemptions for certain types of data and entities, although the exemptions are not identical across both states. The CPA includes exemptions for air carriers and certain financial institutions governed by the Gramm-Leach-Bliley Act of 1999 ('GLBA'), certain data maintained by a public utility, employment records, protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), and other types of information already regulated under other federal laws, including the GLBA, the Family Educational Rights and Privacy Act of 1974 ('FERPA'), the Fair Credit Reporting Act of 1970 ('FCRA'), and the Children's Online Privacy Protection Act of 1998 ('COPPA').

Who must comply?

Unless an exemption applies, the CPA applies to 'controllers' and 'processors' that conduct business in Colorado or sell products or services intentionally targeted to residents of Colorado, and meet either of the following thresholds: the business:

• controls or processes personal data of 100,000 or more consumers during a calendar year; or
• derives revenue or receives discounts from the sale of personal data and controls or processes data of at least 25,000 consumers.

Notably, and unlike the CCPA as amended, and other state privacy laws becoming operative in 2023, the CPA applies to non-profit entities.

'Controller' is analogous to a 'business' under the CCPA as amended and is defined as a person that, alone or jointly with others, determines the purposes for, and means of, processing personal data. 'Processor' is analogous to a 'service provider' under the CCPA as amended and is defined as a person who processes personal data on behalf of a controller. To qualify as a 'processor' under the CPA, a company has to process personal data on behalf of a controller. The CPA mandates that processors adhere to the controller's instructions and assist the controller to comply with the controller's own obligations, and the two parties must enter into an agreement with certain terms prescribed by the CPA. Under the CCPA as amended, to qualify as a 'service provider' a company must both enter into, and adhere to, a contract with certain terms and only process personal information for certain business purposes as defined by the CCPA as amended. The contract terms required to be included in a service provider contract under the CCPA as amended differ substantially from those required to be included in a processor contract under the CPA.

How to comply?

Privacy notices

Under the CPA, controllers must provide privacy notices that include:

• the data categories collected or processed;
• the purposes for which the categories are processed;
• how and where consumers may exercise their rights, including the controller's contact information and how a consumer may appeal a controller's action with regard to a consumer's request; and
• categories of data shared with third parties.

Most of these notice obligations are similar to obligations under the CCPA, except for the requirement to disclose Colorado-specific processes to appeal a controller's request-related action.

Moreover, controllers that 'sell' personal data, or that process personal data for targeted advertising, must disclose the sale or processing and the manner in which a consumer may exercise the right to opt out of the sale or processing. The CPA defines a 'sale' of data in a similar manner as the CCPA as amended, as an exchange of personal data for monetary or other valuable consideration by a controller to a third party. This means that transferring personal data for something valuable alone constitutes a sale, and a party need not receive money in return for the personal data to have been considered 'selling' the data. However, the CPA excludes certain types of disclosures from being a 'sale' of personal data, such as disclosures to a processor to process the data for the controller, disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer, disclosure to an affiliate of a controller, to third parties in relation to a merger or similar transaction, that a consumer directs the controller to disclose, or of data intentionally made available by a consumer to the general public.

The CPA Rules, however, include more prescriptive notice requirements. For example, they prescribe how controllers must post privacy notices when operating online (e.g. using a link with the word 'privacy' on a controller's website - as also required by the CCPA Regulations) or offline (e.g. distributing an offline notice to consumers through a medium regularly used by the controller to interact with consumers). They also require notices to include detailed explanations of how consumers can exercise their data privacy rights under the CPA.

Loyalty program disclosures

Similar to the obligation to issue a notice of 'financial incentive' under the CCPA as amended, where a business offers special programs or services in exchange for personal information, the CPA Rules require loyalty program-related disclosures. The requirements, however, are generally less burdensome than those that apply to notices of financial incentives under the CCPA as amended (e.g. there is no need to explain the method used to calculate the value of data, or analyse how such value is reasonably related to the value provided by the loyalty program).

Technical and organisational measures, assessments, and data processing agreements

Like the CCPA as amended, the CPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The CPA also requires controllers to conduct and document data protection assessments before engaging in any processing activity that presents a heightened risk of harm to a consumer, a requirement currently not found in the CCPA as amended, although the California Privacy Protection Agency ('CPPA') may introduce similar such requirements in the future. The CPA considers processing for purposes of targeted advertising or profiling, selling personal data, and processing sensitive data to be activities that typically present a heightened risk of harm to consumers. The CPA Rules set out 13 different items that must be covered in a privacy risk assessment, and outlines certain risks that must be accounted for.

Further, before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under the state privacy laws of Virginia, Connecticut, and Utah, including controller-to-processor instructions, provisions on the types of processed data and their retention periods, and confidentiality commitments. Data processors must adhere to controllers' instructions and use appropriate technical and organisational measures to assist controllers in meeting their obligations under the CPA. The CCPA as amended also requires data processing agreements to include certain clauses, but the requirements under the CPA and the CCPA as amended vary substantially on this score.

Data subject rights

Under the CPA, consumers have the right to know whether a controller is collecting their personal data, to access their collected personal data, to download and remove personal data from a platform in a format that allows the transfer to another, and to correct and delete personal data held on them. Consumers also have the right to opt out of the sale of their personal data, or use of their personal data for targeted advertising and certain types of profiling. Notably, controllers must offer a universal opt-out tool by 1 July 2024. These rights are broadly similar to rights found in the CCPA as amended. The CPA and CCPA as amended both recognise the concepts of 'sensitive' personal information, but the CPA establishes an opt-in regime with respect to the processing of sensitive personal information, whereas the CCPA as amended establishes an opt-out regime with respect to such processing for non-exempt purposes.

Obtaining consumer consent

Both the CCPA as amended and the CPA include some circumstances that require a controller to obtain consent from consumers. However, under the CPA Rules, Colorado introduced an explicit concept of 'refreshing consent'. The CPA Rules state that a controller must refresh consent when the consumer has not interacted with the controller in the prior 12 months and is processing sensitive data or processing personal data for a secondary use that involves particular profiling activities. Under the CPA Rules, controllers are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface.

The CPA Rules also explicitly require controllers to obtain new consent when a processing purpose changes, such that the new purpose is a secondary use of the collected personal information. This is different from the amendments to the CCPA Regulations and their requirement that businesses obtain, in summary, upfront consumer consent to collect personal data where the collection, use, or retention of that personal data is not necessary or proportionate, or is unrelated or incompatible with the established collection purposes.

Universal opt-out mechanism

Similar to the CCPA Regulations, the CPA contemplates that consumers will have the right to opt out of sales of their personal data and targeted advertising by activating a universal opt-out mechanism. The CPA provides that the Colorado Attorney General ('AG') will establish the technical specifications of such universal opt-out mechanisms, and the CPA Rules set forth detailed requirements on how such mechanisms must operate. The CPA Rules provide that the Colorado Department of Law shall maintain a public list of acceptable Universal opt-out mechanisms and that such initial list shall be released no later than 1 January 2024.

Timelines for responding to data subject rights requests

To exercise one’s rights, the CPA allows consumers to, once they have been authenticated, receive responses to consumer requests within 45 days. Controllers may extend this time period by another 45 days where reasonably necessary, and the consumer will ultimately have the ability to appeal any decision made by the controller under the controller's appeal process (which is mandated by the CPA). The appeals process must provide the consumer with an appellate response within 45 days (which can be extended by another 60 days if reasonably necessary), and must end with the consumer's ability to contact the Colorado AG if the consumer has concerns about the results of any appeal. This last point contrasts with the CCPA as amended, which does not mandate an appeal process.

Sensitive data

The CPA defines 'sensitive data' to mean certain prescribed categories of data, including personal data that reveals an individual's race, ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual activity, orientation or preferences, citizenship status, as well as personal data from a known child (under 13) and biometric information. The CPA Rules also create a new category of sensitive data titled 'sensitive data inferences'. Accordingly, inferences made from data that concern sensitive data categories are also subject to additional requirements and limitations.

Unlike the CCPA as amended, which introduces an 'opt-out' regime for the processing of sensitive personal information beyond certain authorised purposes, the CPA requires controllers to obtain consumers' consent before processing their sensitive data. Thus, Colorado's sensitive data-related obligations are generally more burdensome than those in California, although this is counterbalanced by the fact that the definition of sensitive data is more limited under the CPA than under the CCPA as amended.

Sanctions and remedies

There is no private right of action provided by the CPA, but the Colorado AG or Colorado district attorneys can bring a civil action for an injunction or penalties. The CPA does not issue guidance on fines, but instead states that a CPA violation is a deceptive trade practice, which would in turn impact a civil action asserting a claim under the Colorado Consumer Protection Act. An entity violating the CPA could therefore be subject to a fine of $20,000 per violation. Until 1 January 2025, the Colorado AG or Colorado district attorneys must first, if an offence is curable, issue a notice of violation to a controller and allow a 60-day cure period before pursuing enforcement action.

Lothar Determann Partner
[email protected]
Helena Engfeldt Partner
[email protected]
Jonathan Tam Partner
[email protected]
Tom Tysowksy Associate
[email protected]
Baker & McKenzie LLP, Palo Alto

1. Available at: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf