Colorado: Consumer rights under the Colorado Privacy Act
On 7 July 2021, Colorado Governor, Jared Polis, signed into law the Colorado Privacy Act ('CPA'). The CPA is a comprehensive consumer protection law that establishes a new regulatory regime for protecting consumer personal data. Larkin Reynolds, Principal at Foundry Legal, LLC provides an overview of the consumer rights embedded in the CPA, and provides some insights on which areas leave open questions for businesses and organisations (notably, non-profit organisations are not exempt from the CPA, so the law applies to for-profit and non-profit organisations) that will be required to comply by the statute's effective date of 1 July 2023.
The CPA imposes affirmative obligations on entities to which it applies. However, and also similar to the California Consumer Privacy Act of 2018 ('CCPA') and the Virginia Consumer Data Protection Act, the CPA also confers several broad data-specific rights to be exercised directly by consumers, where the failure to recognise and respond to these consumer requests will invoke penalties.
Section 1306 of the CPA requires data controllers to recognise certain consumer rights with respect to consumer personal data, and provide consumers with a method for exercising those rights. The data controller must also provide, in its privacy notice, information about how the consumer can submit a request to exercise the rights in Section 1306. The rights themselves are further detailed as:
- the right for consumers to opt out of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce 'legal or similarly significant effects concerning a consumer';
- the right for consumers to know about (or 'confirm') the collection and processing of and also access the personal data held by the controller;
- the right to the correction of inaccuracies about consumer personal data;
- the right to deletion of the consumer's data; and
- the right to data portability.
Opting out of processing
Notable in the CPA is that the 'controller' of the data, typically the business or organisation directing the collection and processing of the data must make the opt-out method 'clear and conspicuous' in any privacy notice, as well as in a 'clear, conspicuous, and readily accessible location' outside the privacy notice. Furthermore, at least for the first year, organisations may employ a user-selected 'universal' opt-out mechanism provided by a third party to put this requirement into practice, and starting 1 July 2024, a universal opt-out mechanism will be mandatory.
The opt-out right also requires a mandatory disclosure to consumers of: (i) information about the choices available to them to opt-out; as well as (ii) a description of the categories of personal data to be processed and the purposes of the processing; and (iii) an explanation of explaining how and where the consumer may withdraw consent. The method of revocation of the consent must be as easy as the method for providing affirmative consent.
Access and portability
The CPA enacts a consumer right to 'confirm' whether a controller is processing personal data concerning the consumer and to access the consumer's personal data. The CPA states that consumers seeking to access their data have the right to obtain the personal data in a 'portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance'. There are limits in that a consumer may exercise this right no more than twice per calendar year.
Correction and deletion
Section 1306 of the CPA also includes consumer rights to correct inaccuracies in their data and to delete their data, which are two consumer rights recognised in several other consumer privacy regimes. The right to correct inaccuracies seems to contemplate some limits to this right, as it states that the right is one that 'tak[es] into account the nature of the personal data and the purposes of the processing of the consumer's personal data'. The right to 'delete personal data concerning the consumer' does not have such a limit.
While there is not much specificity in the statutory language as enacted, the Colorado Attorney General ('AG'), along with state District Attorneys, will have exclusive enforcement responsibility for the statute, may offer clarity through issuing regulations. The AG is given discretion to promulgate regulations pertaining to the CPA generally by 1 January 2025, and must issue regulations regarding the specifications of the consumer data opt-out mechanism.
All of the consumer rights under Section 1306 of the CPA contemplate a time period placed upon the data controller for responding to the consumer request, with some flexibility for extensions where justified and where promptly communicated to the consumer. The controller is not required to comply with requests from consumers it cannot authenticate using 'commercially reasonable efforts', and the controller may request additional information 'reasonably necessary' to authenticate the request. While these categories of 'reasonableness' leave some room for subjectivity on the part of the controller, they also limit that subjectivity to a level that would be defensible if reviewed by a court or an enforcement official if questioned. The controller must also establish a process for appeals, and must inform consumers of their right to contact the attorney general if they have concerns about results of the appeal.
Section 1308: Consumer Rights
Section 1308 of the CPA also imposes a set of express 'duties' on data controllers covered by the law, and these duties operate as an additional layer of data protection underpinning the five express consumer rights above. Those duties are:
- Duty of purpose specification. Controllers must specify the 'express purposes' for which the data are collected and processed.
- Duty of data minimisation. Data collection must be 'adequate, relevant, and limited' to the purposes specified, which will require data controllers to think carefully about which data they are collecting and why.
- Duty to avoid secondary use. Data controllers must not process data for purposes that are not 'reasonably necessary to or compatible with' the purpose for which the data was originally collected. This means if a company originally collected data for the purpose of providing specific services, it must not then use that data to market products to that consumer.
- Duty of care. Controllers must take 'reasonable' measures to protect data from unauthorised acquisition. This duty is not new in the Colorado statutes, as the state's data breach statute (§ 6-1-716 of the Colorado Revised Statutes) already embraced this duty. Under this provision, however, failure to implement such measures could be grounds for penalty even without the occurrence of a data breach.
- Duty to avoid unlawful discrimination. Controllers cannot process data in a manner that violates a pre-existing law prohibiting discrimination against consumers.
- Duty regarding sensitive data. Controllers must only process any sensitive personal data if they have valid consent from the consumer, or, in the case of data concerning a child, consent from the child's guardian.
Key definitions: 'Sensitive data' and 'consent'
Under the CPA, 'sensitive data' includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and any data 'concerning' a known child. Consent for the processing of data concerning children must be obtained from child's legal guardian.
Under the CPA, consumer consent must be demonstrated by a 'clear, affirmative act' signifying consumer's 'freely given, specific, informed, and unambiguous' consent. While the CPA does not mandate a unique or specific type of demonstration of consent for that consent to be effective—thus enabling businesses and organisations to come up with their own mechanisms for obtaining and logging consent—the CPA does inform stakeholders about what types of consent are insufficient. Namely, the CPA deems presumptively ineffective consent obtained through use of a 'dark pattern', which is a 'user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice'. It also makes clear that a user action involving hovering over, muting, pausing, or closing a given piece of content is insufficient to show consent. These concepts have some precedent in the California consumer privacy regime and more particularly the agency regulations.
The CPA ushers in substantial compliance obligations for organizations subject to it, and a significant portion of those obligations require covered organisations to respond directly to the consumers whose data they collect and process. Nevertheless, there is considerable overlap between the CPA mandates and those already placed on organisations by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the CCPA and California Privacy Rights Act. Organisations heading toward compliance with those comprehensive privacy laws will find they can check off many boxes relating to the CPA—indeed, in many areas the Colorado statute is operationally somewhat more lenient than the California law.
Covered organisations processing consumer personal data should stay tuned. As indicated by Governor Polis in the signing statement he issued alongside his signature on the CPA bill, many stakeholders consider the CPA to be 'unfinished', and anticipate amendments to be introduced and likely passed during the 2022 legislative session. We will of course be watching for developments in the months to come.
Larkin Reynolds Principal
Foundry Legal, LLC, Denver