Colorado Privacy Act (CPA) will go into effect on July 1, 2023. Colorado is the third state to enact a comprehensive US data privacy law following California’s CCPA in 2018 and Virginia’s VCDPA in 2021. It will protect the privacy rights of Colorado residents and will apply responsibilities to companies doing business in the state of Colorado.
The CPA establishes the rights of consumers and obligations for controllers and processors.
The CPA is designed to protect a consumer, who is defined as “an individual who is a Colorado resident acting only in an individual or household context; and does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context”.
A data controller is defined as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data”. So a controller could be a person, a company, or a non-profit organization.
A data processor is defined as “a person that processes personal data on behalf of a controller”. Again, it could be a person, a company, or a non-profit organization, as well as a third party. The CPA requires processors to adhere to the controller’s instructions and cooperate with the controller to comply with its obligations.
Consumers' Rights Under the CPA
Colorado consumers have these main rights under the CPA:
- Right of access. Consumers have the right to confirm whether or not a controller is processing the consumer's personal data and to access such personal data.
- Right to correct. Consumers have the right to correct inaccuracies in their personal data, regarding the nature and the purposes of the personal data.
- Right to delete. Consumers have the right to delete their personal data.
- Right to data portability. Consumers have the right to obtain a copy of the consumer's personal data in a usable format and to the extent technically feasible.
- Right to opt-out. Consumers have the right to choose between explicit or implied consent modes for the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in decisions that produce legal or other significant effects concerning the consumer. Consent for using and processing personal data must be freely given, specific, informed, and unambiguous agreement.
- Right to appeal. Like under Virginia’s VCDPA, consumers have the right to appeal a business's denial to act within a reasonable time. Under the law, an entity controlling personal data must respond to a consumer request within 60 days of receipt of the request. If a business fails to take action, the controller should provide an appeal process that must be available and easy to use.
Personally Identifiable Information and Sensitive Data
Colorado Privacy Act protects personally identifiable information, which refers to information that is “linked or reasonably linkable to an identified or identifiable individual”. The CPA protects both physical and digital information. CPA establishes standards for controlling, storing, processing, and maintaining personally identifiable information.
The following data is considered personally identifiable information, and thus is protected:
- Biometric data
- Credit and debit card numbers
- Driver’s license and license plate numbers
- Email addresses
- Employer information
- Financial information
- Health insurance identification number
- Home or work addresses
- Medical information
- Military identification numbers
- Passport identification numbers
- Social Security number
- Student identification numbers
- Telephone numbers
- Other data
Not all data counts as personally identifiable information. First, lawfully made available government records are not considered personal data. Second, the information that the consumer himself has made public to the general public through widely distributed media also is not considered personal data. For example, if consumers post their data publicly on social media, this information is not considered their personal data.
Similar to other privacy laws, the CPA also specifies the sensitive data that needs specific consent and handling. The following data is considered sensitive data, that could reveal:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data that may be used to uniquely identify an individual
- A known child.
Who Has to Comply With the Colorado Privacy Act?
Entities, that have to comply with the CPA
Under the CPA, obligations are imposed on entities that are doing business in Colorado and/or processing the data of Colorado residents and that either:
- Control or process the personal data of at least 100 000 users during a calendar year, or
- Process personal data from at least 25 000 residents annually and receive revenue or a discount on goods/services as the result of the sale of that data.
Conducting business in Colorado does not imply that a company has a physical presence in the state. Companies meeting the requirements and doing business via websites or apps also need to comply with CPA.
However, even large entities will not be subject to the law so long as they do not fall within one of the two categories listed above.
Exemptions to Colorado Privacy Act compliance
Not all entities that are doing business in Colorado and/or processing the data of Colorado residents need to comply with the CPA, as noted above. Additionally, these types of organizations are also exempt:
- Public utilities
- Entities covered by the Gramm-Leach-Bliley Act
- Entities covered by the Children’s Online Privacy Protection Act
- Entities covered by the Family Educational Rights and Privacy Act
- Entities that are subject to the Fair Credit Reporting Act
- Governmental entities in Colorado
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Entities, collecting or processing data for Colorado health insurance law purposes
- Entities, collecting or processing data for employment records purposes
- Entities, processing de-identified personal data
- Consumer reporting agencies
- Higher education institutions
Colorado’s CPA does not exclude non-profit organizations from its scope, unlike other states' similar data privacy laws.
Entities’ Obligations Under the CPA
Businesses have these responsibilities and duties regarding the collection and usage of data:
- Duty of transparency. Entities must provide a “reasonably accessible, clear, and meaningful privacy notice”.
- Duty of purpose specification. Entities must provide what data is being collected and for what specific purposes.
- Duty of data minimization. Entities must collect and use the data, that is adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose.
- Duty to avoid secondary use. Entities must not process personal data for purposes that are not reasonable or necessary to the communicated purpose.
- Duty of care. Entities must take reasonable measures to secure data from unauthorized access.
- Duty to avoid unlawful discrimination. Entities must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers.
- Duty regarding sensitive data. Entities must not process consumers’ sensitive data without obtaining explicit and informed consent, or, in the case of a known child, without obtaining consent from the parent or guardian.
- Data protection assessment.
- Data processing contracts. The data controllers must sign data processing agreements with data processors. Such agreements must clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties. The data processors must correspond to the instructions of the controller.
CPA Enforcement And Penalties
Unlike California's CCPA, there is no right of action against the infringement for consumers- private users. The CPA is enforced by the Colorado Attorney General’s Office. Once the state attorney general discovers a CPA violation and decides to take action, the office must notify the controller.
There is a 60-day cure period, which allows entities that receive letters regarding noncompliance to communicate with the state attorney general’s office and correct any potential violations before fines are imposed.
If the controller fails to cure the violation during the notification waiting period, the attorney general can fine entities with these penalties:
- From US$ 2,000 to US$ 20,000 per violation, or
- From US$ 10,000 to US$ 50,000 per violation against an elderly person.
The CPA used to have maximal penalties of US$ 500,000 for a series of violations, but that is no longer valid from 2019.
As a result of serious CPA oversight, Colorado Privacy Act violations can also lead to criminal charges.
How to Comply With the Colorado Privacy Act?
These are the advice for companies that could help to comply with the CPA:
- Perform regular data audits, risk assessments, and reviews of privacy policies.
- Ensure that it is reasonably easy for consumers to contact companies. Companies must also be able to respond to and comply with consumer requests in a timely manner.
- Review your data processing contracts with data processors.
- Use Consent Management Platform to ensure companies are collecting and storing consumers’ consents as required under the CPA.
Frequently Asked Questions
What is the Colorado Privacy Act?
When does the Colorado Privacy Act start?
Who must comply with the Colorado Privacy Act?
Under the CPA, obligations are imposed on entities that are doing business in Colorado and/or processing the data of Colorado residents and that either control or process the personal data of at least 100 000 users during a calendar year, or process personal data from at least 25 000 residents annually and receive a revenue or a discount on goods or services as the result of the sale of that data.
Does Colorado have a Privacy Act?
Is it prohibited to sell personal information in Colorado?
The Colorado Privacy Act (CPA), which will take effect on July 1, 2023, gives consumers the right to ask companies not to sell their personal information. The CPA also gives consumers access to any data companies have about them.