Colorado Becomes Last State to Pass New Data Protection Law | Foley Hoag LLP – Security, Privacy and Law
On July 7, 2021, Governor Jared Polis promulgated the law Colorado Privacy Act (CPA), making Colorado the most recent state to pass comprehensive privacy legislation. Although the CPA does not come into effect until July 1, 2023, it contains strong provisions that businesses will need some time to prepare for.
The CPA is based on many principles and has a framework similar to that of the California Consumer Privacy Act (CCPA), California Privacy Rights and Enforcement Act (ACPL), and Virginia Consumer Data Protection Act (VCDPA), but there are some important differences in CPA.
Similar to the CPRA and VCDPA, the CPA gives consumers the right to access and control certain types of personal data that businesses collect and maintain by:
- grant consumers certain rights regarding their data;
- impose positive obligations on companies that hold personal data; and
- empowering the Colorado attorney general and local district attorneys to conduct assessments, impose penalties and prevent future violations.
The CPA grants Colorado consumers five specific data rights:
- to refuse the processing of personal data for the purposes of targeted advertising, the sale of personal data or “profiling” in the context of decisions which produce legal effects or of similar importance for the consumer. (“Profiling” is defined as “any form of automated processing of personal data to assess, analyze or predict personal aspects relating to economic situation, health, personal preferences, interests, reliability, behavior, location or the movements of an identified or identifiable individual. “)
- access their personal data and confirm whether a controller is processing their personal data;
- the correction of inaccuracies in the consumer’s personal data;
- the deletion of personal data; and
- to data portability to get their personal data in a portable and usable format.
Businesses must respond to consumer inquiries asserting these rights within 45 days.
The CPA also contains a number of positive obligations for companies:
provide a “reasonably accessible, clear and meaningful privacy notice” informing consumers of the categories collected and shared with third parties, the purposes of the processing, the means by which consumers can exercise their rights, sales disclosures or the processing to third parties. third party for targeted advertising (and how consumers can opt out);
- lens specification
provide the express purposes of the collection and processing of personal data;
- data minimization
limit the collection of personal data to that which is “adequate, relevant and limited to what is reasonably necessary for the specified purpose”;
- limits on secondary use
not to process personal data for purposes which are not “reasonably necessary or compatible with the specific purpose” for their collection and processing;
to “take reasonable steps to protect personal data during storage and use against unauthorized acquisition”;
- no discrimination
to “not process personal data in violation of state or federal laws which prohibit unlawful discrimination against consumers”; and
- protection of sensitive data
refrain from processing sensitive data without first obtaining consent.
Covered companies must also conduct data protection assessments for processing involving activities of increased risk, such as targeted advertising, profiling, selling data and processing sensitive data. They must also comply with requests from the Colorado Attorney General to provide access to assessments.
The Colorado attorney general and state district attorneys share enforcement power, and the CPA does not provide for a private right of action.
Companies covered by the law
CPA does not apply to all businesses. It only applies to entities that:
- have contact with Colorado by:
- doing business in Colorado;
- to produce products or services intentionally intended for residents of Colorado;
- to provide products or services intentionally intended for residents of Colorado; and:
- achieve a specified level of control or processing of consumer data:
(a) monitoring or processing the data of 100,000 or more consumers during the calendar year; or
(b) profit from the sale of personal data and process or control the data of 25,000 or more consumers.
Exemptions and exceptions
Although the consumer rights listed by the CPA are broad, many types of data are excluded from its scope and several exceptions. Primarily, there is an exemption for financial institutions subject to the Gramm-Leach-Bliley Act and for higher education institutions in Colorado. The CPA also exempts “data retained for employment”. The CPA will not cover information submitted to FCRA, COPPA and FERPA. In addition, the The CPA will not cover anonymized data that cannot be linked to an identifiable individual and exempt data regulated by HIPAA and data pertaining to covered entities and healthcare institutions and providers.
The definition of “consumers” in the CPA is limited to persons who are residents of Colorado “acting in an individual or domestic context” and, as in the case of the CDPA, the definition does not include “a person acting in a business or professional context. , as a job seeker, or as beneficiary of a person acting in an employment context.
The CPA has a relatively broad definition of “sale”, but excludes a number of types of data disclosure in the definition to limit the scope that are similar to those of the CDPA. The CPA defines “sale” as “the exchange of personal data for monetary or other consideration”. These “sales” do not include disclosure of personal data to a subcontractor who processes the data for the controller, disclosure to a third party for the service requested by the consumer, disclosure to an affiliate, disclosure to a third party of the proposed or actual transaction where the party assumes control of the controller’s assets, a disclosure requested by the consumer to a third party, or the disclosure of data that a consumer has intentionally made available to the general public through a channel mass media.
Other notable differences between CPA, VCDPA, CCPA and ACPL
- CPA, like VCDPA, uses controller / processor terminology similar to GDPR.
- The consumer’s opt-out rights in the CPA are very similar to those in the VCDPA
- The CPA, like the CCPA, defines “sale” broadly to include transactions at market value, while the VCDPA limits sales to those for monetary consideration.
- Although the CCPA and VCDPA both provide an exemption for nonprofits, the CPA does not.
- The CPA also gives controllers the right to object to any subcontractor, unlike VCDPA and CCPA.
Colorado, California, and Virginia consumer privacy laws also have different definitions of “sensitive information” and how businesses should treat that data. Each requires that companies that collect sensitive data first obtain consumer consent. However, the PCA provides a stricter definition of consent, requiring that consent be “a freely given, specific, informed and unambiguous agreement” that does not include general or broad terms, “hover, cut, pause or close a given piece of content ”or“ chord obtained by dark patterns ”(although“ dark patterns ”are not defined).
Changes can happen
There may be some changes to the CPA before it goes into effect in 2023. Governor Jared Polis noted that the law needs clean-up legislation over the next year and still has “several outstanding issues” so watch this space for future developments.
* Many thanks to Summer Associate Dania Keller for providing us with the underlying research for this position.