Governor Jared Polis signed the Colorado Privacy Act (CPA) as SB 190 into law on July 7, 2021. It goes into effect on July 1, 2023.
With the CPA, Colorado becomes the third state to enact comprehensive privacy legislation. We’re starting to see trends form as state legislatures have success in passing these laws – limited/no private right of action is a common theme. In Colorado’s case, the CPA offers no private right of action.
Scope of the CPA
Similar to California’s CCPA and Virginia’s VCPDA, the CPA applicability is limited to companies that satisfy a two-part threshold:
- The company conducts business in Colorado
OR
Targets Colorado residents with products or services;
AND - Controls/processes personal data of 100,000 consumers per year
OR
Derives revenue or receives a discount on the price of goods/services from the sale of personal data and controls/processes personal data of 25,000 consumers
Consumer is defined in Section 6-1-1303(6) as “an individual who is a Colorado resident acting in an individual or household context.” So, the scope of the personal data processing requires 100,000 (or 25,000 depending on the context) Colorado residents for the CPA to kick in.
Additionally, the applicability is limited to “personal data,” which “means information that is linked or reasonably linkable to an identified or identifiable individual.” Further, “identified or identifiable individual” is also a defined term, which “means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.”
The definition for “personal data” also includes a carve-out for de-identified or publicly available information, which includes data made available from government records.
Data maintained for employment records purposes is excluded. As with other state privacy laws, there are carve-outs in the CPA related to federal privacy laws, in this case for certain entities and data subject to HIPAA, GLBA, FERPA, FCRA, and COPPA. Data collected by state and local governments is also excluded. Notably, these governmental exclusions only apply if the data is collected, maintained, disclosed, communicated, and used as authorized by law.
Personal Rights of Consumers
Right to Opt-Out – Consumers have the right to opt-out of certain processing, including:
- Targeted advertising;
- The sale of personal data;
- Profiling.
This right to opt-out is tied to a requirement for companies to respond to a yet-to-be-determined universal opt-out mechanism that is supposed to be technically defined by the Colorado Attorney General. However, consumers can also opt-in again after they’ve opted out using this universal mechanism. In such a case, the controller must give the consumer “clear and conspicuous notice” about the categories of data and the purpose of processing for targeted advertising or the sale of data. The ability to later revoke that consent has to be as easy as it was to opt-in.
On a side note, this is really spelling out all of the hurdles with consent, cookie walls, and nudging in a statute that won’t fully go into effect for a couple of years. As I read this section of the CPA for the first time, I can’t help but think of how a duty of loyalty in a privacy statute (as suggested by Neil Richards and Woodrow Hartzog) could aid some of these rigorous legislative drafting exercises.
Right of Access – “A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
Right to Correction – “A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purpose of the processing of the consumer’s personal data.”
Right to Deletion – “A consumer has the right to delete personal data concerning the consumer.”
Right to Data Portability – Paired with the right of access, this section provides the consumers with the right to get a copy of their data in a portable and readily usable format “to the extent technically feasible.” This right can be exercised two times per calendar year.
Responding to Requests
Time
Controllers have to respond to consumer rights requests “without undue delay” but within a maximum of 45 days. However, that 45-day period may be extended “where reasonably necessary, taking into account the complexity and number of the requests.” If extended to an additional 45-days, the controller has to inform the consumer about the extension within the initial 45-day response period.
Fees
The first request during a 12-month period must be free; however, the controller may charge for subsequent requests based on statutory rates (presently up to $0.25 per page) for copies/printouts. In the case of personal data that is not provided in a standard page format, the fee must not exceed the actual cost of providing it.
Appeal
The controller must make commercially reasonable efforts to authenticate the request but does not have to comply with a request that it is unable to authenticate. Controllers must have an internal process that allows consumers to appeal a refusal. This appeal process must be conspicuous and as easy to use as the process for submitting a request.
Controllers must inform the consumers of the appeal result within 45-days of the appeal and provide a written explanation of the controller’s reasons. This appeal process may be extended by 60-days “where reasonably necessary.” Akin to the initial consumer rights request, the extension notification must be provided in the initial 45-day appeal-response period.
Along with the appeal response, the controller must inform the consumer that they may contact the Colorado Attorney General if they have “concerns about the result of the appeal.”
Exceptions for De-Identified Data
Controllers are not required to reidentify de-identified data, maintain data in identifiable form solely for the purpose of responding to access requests, or go to unreasonable lengths to associate data requests with personal data in certain cases. Likewise, exceptions apply to pseudonymous data if the controller has appropriate technical and organizational controls in place that prevent the controller from accessing the data.
Consent
While consent seems broken in every other privacy law when it comes to actually using the notice and consent process, Colorado takes another stab at defining and refining consent to mean a specific thing.
“Consent means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
- hovering over, muting, pausing, or closing a given piece of content; and
- agreement obtained through dark patterns.”
And “dark pattern” is also a statutory defined terms that “means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
The definition of consent sounds quite diabolical from an online marketing standpoint in Colorado. However, the consent requirement is mentioned only with regard to overriding a technical opt-out mechanism (§ 6-1-1306(1)(a)(IV)(c)), processing data for secondary uses(§ 6-1-1308(4)), and processing sensitive data (§ 6-1-1308(7)).
Duties of Controllers
Duty of Transparency / Privacy Notice
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
This privacy notice must include the following:
- The categories of personal data collected or processed
- The purpose for which these categories of data are processed
- How consumers can exercise their rights (and appeal) under the CPA, including the controller’s contact info
- The categories of personal data that the controller shares with third parties
- The categories of third parties the controller shares
Additionally, if a controller sells personal data to third parties or processes it for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, along with how the consumer can opt out.
Controllers can’t:
- Require consumers to create new account to exercise a right
- Increase cost or decrease availbilty of products or services based on excercising rights
Notably, the CPA has a specific carve out for loyalty rewards and club card types of programs.
Duty of Purpose Specification
A controller shall specify the express purposes for which personal data are collected and processed. § 6-1-1308(2).
Duty of Data Minimization
A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. § 6-1-1308(3).
Duty to Avoid Secondary Use
A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent. § 6-1-1308(4).
Duty of Care
A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. § 6-1-1308(5).
Duty to Avoid Unlawful Discrimination
A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers. § 6-1-1308(6).
Duty Regarding Sensitive Data
A controller shall not process a consumer’s sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian. § 6-1-1308(7).
Data Protection Assessements
The CPA requires controllers to conduct a Data Protection Assessment in circumstances where the processing of data “presents a heightened risk of harm to a consumer.” § 6-1-1309. The phrase “heightened risk of harm” is non-exhaustively described to include (1) processing sensitive data, (2) selling personal data, and (3) targeted advertising or profiling where profiling “presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial or physical injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers.” § 6-1-1309.
The DPAs must weigh benefits and risks, along with mitigation safeguards that the controller will use to reduce the risks. The controller must factor in the use of de-identified data and the reasonable expectations of the consumer, along with the context of the processing and the controller’s relationship with the consumer.
The DPA requirement is specifically exempted from any processing activities occurring prior to July 1, 2023.
While the controller must make DPAs available to the Colorado Attorney General on request, the DPAs are considered confidential and exempt from public records requests. Moreover, the mandatory disclosure to the AG “does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist.”
Enforcement / No Private Right of Action
As noted earlier, the CPA sticks to the US privacy legislation script and offers no private right of action to Colorado consumers. Enforcement of the CPA is vested solely in the authority of the Colorado Attorney General and district attorneys.
The CPA provides a required 60-day cure period under which the AG must issue a notice of violation. If the controller fails to cure the violation withing 60-days, only then may the AG bring an action against the controller. Notably, this cure period requirement sunsets on January 1, 2025.
Leave a Reply