Colorado is officially the third U.S. state to enact comprehensive privacy legislation, following California and Virginia. The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021, and Governor Jared Polis signed it into law on July 7, 2021.
The Colorado Privacy Act takes effect July 1, 2023, six months after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA).
The CPA provides new obligations on Controllers—that is, any entity that (i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either: (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents.
It also provides new rights to Consumers—or, any individual who is a Colorado resident acting in an individual or household context.
The CPA does not apply to data that is subject to other federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), and the Securities Exchange Act of 1934. The CPA also exempts employment data, higher education institutions, nonprofits, state and local governments, and public utility customer records (so long as they are not sold).
Consumer Rights under the Colorado Privacy Act
The rights the CPA affords to Consumers are similar to those in the VCDPA and CCPA/CPRA.
In broad strokes, the CPA regulates the use of and disclosures surrounding “personal data,” which includes information that is linked, or reasonably linkable, to an identifiable person, and “sensitive data,” which includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, sexual orientation, citizenship, genetic or biometric data, or personal data from a known child.
The CPA empowers Consumers with new controls over their data, including the right to:
opt out of the processing of certain personal data;
access personal data (up to twice per calendar year);
correct inaccurate data;
delete personal data; and
Controller Duties under the Colorado Privacy Act
Similarly, the CPA creates duties for Controllers, including the:
Duty of transparency;
Duty of purpose specification;
Duty of data minimization;
Duty to avoid secondary use;
Duty to avoid unlawful discrimination; and
Duty regarding sensitive data.
In addition, while Consumers may request access to their personal data, Controllers may not require that a Consumer create a new account in order to exercise this right (or retaliate with increased cost or decreased availability of a product or service ). When responding to Consumer data requests, Controllers must:
Take action on the Consumer’s request without undue delay and within 45 days of receiving the request—with few exceptions.
Develop an internal process for Consumers to appeal refusals of data requests.
Notify the Consumer that it may contact the Colorado Attorney General if the Consumer has concerns about the result of the response and outcome of appeal.
Controllers must also conduct data protection assessments for each processing activity involving a heightened risk of harm to Consumers, including:
The sale of personal data;
Processing of sensitive data; or
Processing personal data for targeted advertising if it could lead to unfair or deceptive treatment or have a disparate impact on Consumers, financial or physical injury, physical or other intrusion upon seclusion, or other substantial injury
Controllers must present these data protection assessments to the CO Attorney General upon request.
One key difference between the CPA and California and Virginia privacy laws is that the CPA is enforceable by both the district attorney and office of the attorney general. This broadened enforcement mechanism could lead to greater scrutiny of affected businesses.
Unlike the CCPA, the CPA does not include a private right of action. The attorney general or district attorney may, however, institute a civil action or pursue injunctive relief. Failure to comply with the CPA may be considered a deceptive trade practice. Financial penalties are left to the discretion of the courts.
Colorado may be only the third state to enact comprehensive privacy legislation, but other states will likely be soon to follow. Differences between the CPA, VCDPA, and CPRA are subtle, and there are plenty of technical details to sift through. While this may ease the burden of compliance, companies still need to ensure their data collection activities fully comply with the provisions of each privacy act.
And with more states likely to follow suit, data privacy compliance will only get more complicated.