Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: An overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

1. Governing Texts

1.1. Legislation

The Colorado State Governor signed, on 7 July 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy, otherwise known as the Colorado Privacy Act ('CPA'), which was re-passed, on 8 June 2021, by the Colorado Senate following their consideration of amendments made to the CPA by the Colorado House of Representatives.

The CPA will enter into effect on 1 July 2023.

1.2. Regulatory authority guidance

As the CPA has not yet entered into force, the Attorney General of Colorado ('AG') has not yet issued any guidance.

1.3. Regulatory authority templates

As the CPA has not yet entered into force, the AG has not yet issued any templates.

2. Definitions

Data controller: A person that, alone or jointly with others, determines the purposes for and means of processing personal data (§ 6-1-1303(7) of the CPA).

Data processor: A person that processes personal data on behalf of a controller (§ 6-1-1303(19) of the CPA).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

The CPA outlines that processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties (§ 6-1-1305(5) of the CPA).

3.2. What content should be included?

The CPA outlines that the following should be set out in the contract (§ 6-1-1305(5) of the CPA):

  • the processing instructions to which the processor is bound, including the nature and purpose of the processing;
  • the type of personal data subject to the processing, and the duration of the processing;
  • the requirements imposed by § 6-1-1305(3)(4) and (5) of the CPA; and
  • the following requirements:
    • at the choice of the controller, the processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
    • the processor must make available to the controller all information necessary to demonstrate compliance with the obligations under the CPA; and
    • the processor must allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organisational measures in support of the obligations under the CPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor must provide a report of the audit to the controller upon request.

Moreover, the CPA notes that in no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the CPA (§ 6-1-1305(6) of the CPA).

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Processors are required to take appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to § 6-1-1306 of the CPA (§ 6-1-1305(2)(a) of the CPA).

For further information see Colorado – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Not applicable.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

The CPA outlines that both the controller and processor have to take into account the context of processing and must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures (§ 6-1-1305(4) of the CPA).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

Processors are required to help to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to § 6-1-716 of Part 1 of Article 1 of Title 6 of the Colorado Revised Statutes (§ 6-1-1305(2)(b) of the CPA).

For further information see Colorado – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The CPA notes that a processor can engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with § 6-1-1305(5) of the CPA that requires the subcontractor to meet the obligations of the processor with respect to the personal data (§ 6-1-1305(3)(b) of the CPA).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Not applicable.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The CPA does not expressly provide for the requirement of processors to assist controllers with regulatory investigations, but the CPA provides that the obligations imposed on controllers and processors does not restrict either party's ability to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities (§ 6-1-1304(3)(a)(II) of the CPA).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Not applicable.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

As noted above, the CPA requires the processor to make available to the controller all information necessary to demonstrate compliance with the obligations under the CPA (§ 6-1-1305(5)(d)(II)(A) of the CPA).

Moreover, the CPA outlines that the processor must allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organisational measures in support of the obligations under the CPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor must provide a report of the audit to the controller upon request (§ 6-1-1305(5)(d)(II)(B) of the CPA).


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.