Colorado: The newly approved CPA – An overview of key requirements
Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy, also known as the Colorado Privacy Act ('CPA')1, was signed, on 7 July 2021, by the Colorado State Governor, making it the third US State to adopt their own privacy law, following California and Virginia. In particular, the CPA provides several privacy rights for consumers, obligations on data controllers, as well as assigning enforcement powers to the Attorney General ('AG') and District Attorneys ('DAs'). OneTrust DataGuidance addresses some of the key requirements introduced by the CPA that organisations will have to keep in mind in the operationalisation of their privacy programs.
Scope of application
Who does the CPA apply to?
The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either:
- control or process personal data of 100,000 consumers or more per calendar year; or
- derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 consumers or more.
What data falls outside the scope of the CPA?
The CPA does not apply to various types of data which include the following:
- protected health information that is collected, stored, and processed by a covered entity or its business associates;
- certain patient identifying information;
- information that is de-identified in accordance with the requirements for de-identification set forth in the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy and Security Rule; and
- personal data that is regulated by the Children's Online Privacy Protection Act of 1998 ('COPPA') and the Gramm-Leach-Bliley Act of 1999 ('GLBA').
Data subject rights
What are the available rights for data subjects?
The CPA provides several privacy rights including:
- right to opt-out: the right to opt-out of the processing of personal data for the purposes of targeted adverting, sale of personal data, or profiling used for decisions that produce legal or similarly significant effects on a consumer;
- right of access: the right of access is the consumer's right to confirm whether a controller is processing personal data concerning them and to access that data;
- right to correction: the right of consumers to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the data;
- right to deletion; and
- right to data portability: the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
What are the procedural requirements for controllers when responding to a data subject request?
A controller must inform the data subject of any action taken on a data subject request without undue delay and, in any event, within 45 days after receipt of the request. This time limit can be extended by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests, and after informing the data subject of the extension. If no action is taken on a consumer's request to exercise their data subject rights, the controller must inform the consumer, without undue delay and, at the latest, within 45 days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller.
Moreover, a controller must provide to the consumer the information relating to the exercise of their rights free of charge, except that, for a second or subsequent request within a 12 month period, the controller may charge an amount calculated in the manner specified by law.
Can a data subject request be refused?
A controller is not required to comply with a request to exercise a data subject right if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.
Are there any requirements with regards to the opt-out mechanism?
At present the CPA notes that the AG may promulgate rules for the purposes of establishing an opt-out mechanism and is required to do so by 1 July 2023. Please note that from 1 July 2024 data controllers are required to allow consumers to exercise their right to opt-out where their personal data is processed for the purposes of targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism that meets the technical specifications established by the AG.
Controller and processor obligations
Are controllers required to provide a privacy notice?
The CPA requires controllers to provide consumers with a reasonably clear, accessible, and meaningful privacy notice including:
- the categories of personal data collected or processed by the controller or a processor;
- specifying the express purposes for which personal data will be collected and processed;
- how and where consumers may exercise their data subject rights, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;
- the categories of personal data that the controller shares with third parties, if any; and
- the categories of third parties, if any, with whom the controller shares personal data.
What are the main obligations for data controllers?
The CPA requires data controllers to adhere to the following obligations:
- collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
- not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
- taking reasonable measures to secure personal data;
- not to process personal data which violates laws that prohibit unlawful discrimination against consumers; and
- not to process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.
What are the main obligations for data processors?
The CPA requires processors to adhere to the instructions of the controller, assisting the latter to meet their obligations by:
- taking appropriate technical and organisational measures, insofar as possible for the fulfilment of the controller's obligation to respond to consumer requests to exercise their rights;
- aiding the controller to meet their security obligations when processing personal data and in relation to a breach of the security of the system; and
- providing the information necessary to aid the controller to conduct and document data protection assessments.
Data Protection Impact Assessments
Are Data Protection Impact Assessments regulated under the CPA?
The CPA requires controllers to conduct data protection assessments where the processing of data presents a heightened risk to consumers. Such risks include:
- processing for the purposes of targeted advertising or for profiling if said profiling presents a reasonably foreseeable risk;
- selling personal data; and
- processing sensitive data.
Controllers are also required to make data protection assessments available to the AG upon request, which the AG may also evaluate in regards to compliance with the duties contained in the CPA.
Moreover, the CPA outlines that single data protection assessments may address a comparable set of processing operations that include similar activities. Please note that data protection assessment requirements apply to processing activities created or generated after 1 July 2023 and are not retroactive.
Who is responsible for enforcing the CPA?
The AG and DAs have exclusive authority to enforce the CPA.
Are there penalties for violations?
The AG and/or DAs can pursue an action in the name of the State of Colorado as Parens Patriae on behalf of Colorado residents, including seeking an injunction to enjoin a violation of the CPA. For purposes of enforcement, any violations of the CPA will be treated as a deceptive trade practice.
If a controller fails to cure a violation within 60 days after receipt of the notice of violation, the AG or DA can bring an action under the CPA. Please note this will be repealed from 1 January 2025.
Does the CPA provide for a private right of action?
No, the CPA does not authorise a private right of action for a violation of its provisions.
Following its passage the CPA will enter into effect on 1 July 2023.
Alexander Fetani Senior Privacy Analyst
1. Available at: https://www.dataguidance.com/advisories/colorado-privacy-act