The Colorado Privacy Act
The CPA, which became effective on July 1, 2023, draws inspiration from and improves upon models like the Virginia Consumer Data Protection Act and the dormant Washington Privacy Act.
The CPA introduces comprehensive rules for data handling and grants Coloradoans increased control over their personal information. It applies to entities conducting business in Colorado or targeting its residents, emphasizing consumer rights such as access, correction, deletion, and data portability.
What You Need to Know About Colorado’s Privacy Law
The CPA applies to you if your business:
- Is for-profit and conducts business in or provides commercial products or services that are intentionally targeted to residents (“consumers”) of Colorado, and
- During a calendar year control or processes the Personal Information of either:
- 100,000 residents, excluding data solely used for completing payment transactions; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal information and processes or controls the personal information of at least 25,000 consumers.
-
The CPA exempts both certain data types and certain entities entirely. In addition, like almost every other state data privacy law, the CPA does not apply to individuals acting in an employment or commercial (B2B) context.
Exempt Data: The CPA exempts many different types of data from coverage under the law. Below is a list of some of the more commonly held data types that are exempt under the law. For a complete list, refer to the law or reach out to us at Red Clover Advisors, we would be happy to help you understand how your various data types effect your privacy obligations.
- Protected Health Information (PHI) under HIPAA;
- Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
- Various forms of credit data regulated by the FCRA;
- Employment data;
- Data covered by a wide variety of other federal laws including FERPA data and DPPA data.
Exempt Entities: The CPA also exempts many different types of entities from coverage under the law. Below is a list of some of the more commonly relevant entity types that are exempt. For a complete list, refer to the law or reach out to us at Red Clover Advisors, we would be happy to help you understand how your entity classification effect’s your privacy obligations.
- Air carriers;
- National Securities associations registered pursuant to the SEC Act of 1934;
- Certain public utilities;
- Public Colorado institutions of Higher Education;
- Certain bodies, authority, board, bureau, commission, district, or agencies of the state;
- GLBA covered entities
- Provide consumers with an accurate and up-to-date privacy notice that reflects the business’s privacy practices and consumer rights.
- Assess and, if necessary, obtain consent for processing sensitive personal information.
- Establish processes to respond to consumer rights requests effectively.
- Conduct data protection assessments for certain types of data processing activities.
- Ensure vendor contracts align with CPA requirements.
Key Components of NH’s Data Privacy Law
Personal information, called “personal data” in the CPA, means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.
Where a controller processes de-identified data, the CPA requires them to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CPA.
Colorado exempts pseudonymous data where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its access for use for re-identification.
Colorado’s definition of sensitive personal information, called “sensitive data” consists of:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical condition or diagnosis;
- Sex life or sexual orientation;
- Citizenship or citizenship status;
- Personal information from a known child;
- Genetic or biometric data.
In a word: Yes!
Under the CPA, a privacy notice must include:
- The categories of personal data processed;
- The purpose for processing;
- Whether you share or sell personal information;
- The categories of third parties with which personal information is shared;
- The categories of personal information that are shared with third parties;
- The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
- A method for a consumer to contact the company;
- The date of the latest update to the notice.
Colorado defines “sale” as the exchange of personal information for monetary or other valuable consideration by the controller to a third party.
There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of personal data to provide a product or service requested by the consumer, the disclosure of personal data that had been intentionally made available to the public, and the disclosure of personal data as part of a merger or bankruptcy. For more, see the statue.
Unlike most state data privacy laws, the attorney general (AG) is not the sole enforcement authority; district attorneys may also bring enforcement actions under the CPA. The CPA provides a 60-day cure period for enforcement, meaning an enforcement agency must give notice and an opportunity for the business to cure the alleged violation(s); however, the cure period will sunset Jan 1, 2025. Violations may come as injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $20,000 per violation, with a maximum penalty of $500,000.
Privacy Rights
The individual rights created under CPA generally align with those provided under other state laws. If the CPA to your business, you must allow consumers to:
- Right to know whether a business is processing your Personal information;
- Right to access Personal information;
- Right to correct Personal information;
- Right to delete Personal information;
- Right to obtain a copy of Personal information (data portability); and
- Right to opt out of the sale of personal, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.
The CPA requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once every 12 months. Businesses may deny a rights request in certain circumstances. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 45 days of receipt, expandable by up to an additional 60 days. If denying the appeal, the consumer must be informed of their ability to contact the attorney general.
Data Protection Assessments (also known as Privacy Impact Assessments aka PIAs)
The CPA requires that businesses conduct data protection or privacy impact assessments for processing that presents a heightened risk of harm, including:
- Processing for targeted advertising;
- Processing sensitive personal information;
- Selling Personal information; and
- Processing for the purposes of profiling in certain circumstances.
Vendor Contracts
Colorado requires a contract that dictates how data processors (also called service providers or vendors) may process Personal information. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing, the duration of processing and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- Ensure that each person who processes personal information is subject to a duty of confidentiality;
- Employ security protections appropriate for the risk;
- Delete or return all Personal information at the controller’s direction or when it has completed the services, unless retention of the personal information is required by law;
- Make available all information necessary to demonstrate the processor’s compliance with its obligations;
- Allow and cooperate with audits by the controller, or an independent auditor to review its policies and practices, and provide a report of the assessment to the controller;
- Provide the opportunity for the controller to object to any sub-processors;
- And pass along the same obligations to any subcontractors in a written contract.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.