And Then There Were Three: Colorado Passes Privacy Law, Effective July 2023
Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect July 1, 2023. This is six months after Virginia’s law (CDPA) and California’s Privacy Rights Act (CPRA), which amends the existing CCPA, go into effect. The law, does not have a private right of action, and the AG is to adopt regulations on certain aspects by July 1, 2023.
Applicability. Like CDPA, Colorado’s law covers information about “consumers” which are people acting in their personal capacity, it does not apply to information about employees. The law will apply to companies that conduct business in Colorado and meet one of the following: (1) control or process personal data of 100,000 Colorado consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. Like Virginia’s CDPA, the law exempts financial institutions (subject to GLBA). While other types of data, including certain health care information is exempt, covered entities and business associates subject to HIPAA are not wholesale exempt (unlike CDPA). The law does not apply to other types of data regulated by various laws (such as COPPA and FERPA, among others). Unlike in California and Virginia, non-profits are in-scope, and will not be exempt.
Individual Rights. Colorado consumers will have rights similar to those under other US laws and GDPR. For example, a right of access and to correct. There are also rights to deletion and data portability. Like Virginia and the CCPA, there is a right to opt out of selling information. Also like Virginia, there is a right to opt out of targeted advertising and profiling. For targeted advertising, this will not be a new concept, since companies will already be addressing this by following the DAA and FTC self-regulatory schemes. Consumers will need to be able to action their rights through a universal opt-out mechanism: the Colorado AG will issue regulations on this topic. Also like California and Virginia, these rights requests must be honored within 45 days (with an extension available in certain circumstances). Colorado’s new law, as with that of Virginia, includes some of GDPR’s “sensitive information” concepts, requiring opt-in consent to process any such information.
Contractual Requirements. Like Virginia and GDPR, contracts between controllers and processors should outline certain obligations. (CPA uses the “controller” and “processor” terminology, similar to Virginia and GDPR, but unlike California which refers to parties as “businesses,” “service providers” and “third parties.”) Contractual obligations include instructions about the nature, purpose, and duration of processing. Contracts will also need to include requirements around sub-contractors, data security, termination procedures, and cooperation (among others).
Accountability and Governance. CPA introduces data minimization concepts: i.e., collection of information must be limited to what is reasonably necessary for the processing. This is like CDPA, CPRA, and GDPR. While not a new concept to data use activities, CPA more explicitly introduces a duty to avoid secondary uses of data. This means that personal data should not be processed except for those purposes for which the data was collected, unless the consumer consents. CPA also calls for the documentation of data protection assessments, similar to CPRA (but not CCPA), CDPA, and GDPR. These assessments are required for specific types of processing activities listed in the statute. Those activities include the sale of personal data and processing of sensitive data. It also includes targeted advertising where profiling may present certain risks.
Enforcement. There is no private right of action under this new Colorado law. The attorney general and district attorneys have exclusive enforcement authority. The AG is required to provide a 60-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. However, there is a sunset provision for the cure period starting January 1, 2025. Violations of the CPA constitute deceptive trade practices and therefore are subject to a $20,000 per violation fine pursuant to the Colorado Consumer Protection Act.
Putting it Into Practice. The CPA blends together concepts from existing California and EU law, as well as the upcoming (January 1, 2023) requirements in Virginia and California. Companies working on updating their privacy compliance programs for those two will want to add Colorado residents into the mix, and consider more broadly how they will comply with these requirements across states. For those already adhering to GDPR, the additional requirements may not be burdensome, but some level of gap analysis will be needed.