8/6/21
On July 7, 2021, Colorado passed the Colorado Privacy Act (“CPA”), becoming the third state, joining California and Virginia, to enact comprehensive consumer privacy legislation. The CPA will not go into effect, however, until July 1, 2023. Moreover, Colorado Governor Jared Polis noted in signing the bill that it “will require clean-up legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill. We encourage those to continue but urge that they strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.” Thus, the law will likely be subject to changes before the effective date.
Overview of the CPA
Who it applies to: The CPA applies to an entity that:
There is no revenue threshold; thus, regardless of the size of the business, the entity will not be subject to the CPA unless the criteria above are met.
What information is covered: The CPA applies to the entity’s control or processing of “personal data.” “Personal data” under the CPA is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition explicitly excludes “de-identified data or publicly available information.” “Publicly available information” is defined as information that is “lawfully made available from federal, state, or local government records” or “a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
The CPA exempts the processing or controlling of employment records and business-to-business data. The CPA further contains data-specific exemptions for data subject to certain state and federal laws and regulations, including the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act.
Consumer rights: The CPA affords consumers, defined as a Colorado resident acting in an individual or household context, the right to:
The right to opt out is afforded to consumers when their personal data is being processed for purposes of targeted advertising, the sale of the data or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” A controller that sells personal data or engages in targeted ads must provide a clear and conspicuous method to exercise the right to opt out. By July 2, 2014, such a controller must provide the consumer the ability to exercise their right to opt out through a “user-selected universal opt-out mechanism” to be developed by the Attorney General.
Requirements for businesses: The CPA specifies obligations for controllers, which are defined as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data.” The CPA requires controllers to:
The CPA also creates obligations for processors, which are defined as a person that processes personal data on behalf of a controller. The CPA requires processors to:
Enforcement: Enforcement of the CPA is exclusively through the Attorney General or District Attorneys. The CPA explicitly provides that it offers no private right of action to consumers. Prior to any enforcement action, if cure of the noncompliant action is deemed possible, the Attorney General or District Attorneys must issue a notice of violation to a controller permitting 60 days to cure. If the controller fails to cure, or if a cure is deemed impossible, the Attorney General or District Attorneys can bring an enforcement action, including seeking an injunction to enjoin a violation. Any violation of the CPA is deemed a deceptive trade practice for purposes of the Colorado Consumer Protection Act and could result in a $20,000 fine per violation. The requirement of a notice to cure sunsets as of January 1, 2025.
For more information, please contact Bill Cheney at [email protected].
Share
Save Print