Following the lead of California and Virginia, on July 7, 2021 the Governor of Colorado signed into law the Colorado Privacy Act (CPA) to create a framework for personal data privacy rights. Although the law closely resembles the privacy laws passed in California and Virginia, there are some notable differences. The effective date of the law is July 1, 2023.
The law applies to entities that:
- Conduct business or produce products and services for Colorado residents
- Control or process personal data of at least 100,000 Colorado residents per year
- Control or process personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data
Unlike the California Consumer Protection Act (CCPA), there’s no revenue threshold for applicability of the law.
- Financial institutions and their affiliates
- Data collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA)
- Data governed by other federal and state laws
- Listed activities and employment records
- Certain protected health data and data maintained by a public utility
Although there are several specific exemptions for health care controllers, there is no entity-level exemption for HIPAA-regulated entities as with other laws. Non-profit organizations aren’t exempt from compliance with the law.
Aligning with many of the enacted data privacy laws, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also have the right to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Under the CPA, data controllers must:
- Avoid unlawful discrimination
- Disclose when consumer data is sold to third parties or processing for targeted advertising and inform them on how to opt out
- Provide an accessible, clear, and meaningful privacy notice
- Provide purpose specification, minimize collection of personal data, and avoid secondary use
- Respond to consumer requests within 45 days after receipt of request (with a 45-day extension with notice to consumer)
- Take reasonable measures to secure data during retention and prevent unauthorized disclosure
For the processing of data that presents a heightened risk of harm to consumer, a controller will need to conduct a data protection assessment. The controller will need to make the assessment available to the Attorney General upon request.
Data processing agreements that regulate how data is processed will be required between data controllers and processors. The agreement must identify:
- A duty of data confidentiality for processors
- An obligation to delete or return all personal data to the controller at termination
- Duration of the processing
- Restrictions on engagement subcontractors
- The purpose of the processing
- The type of personal data to be processed
Enforcement of the law falls to the Colorado Attorney General and district attorneys. If a decision is made to initiate an action, notice must be provided to the controller, who then has 60 days to cure the violation. However, this right to cure is only for two years and will no longer be required as of January 1, 2025. Unlike the CCPA, there’s no private right of action. The Attorney General has the authority to promulgate rules that detail the technical specification of the universal opt-out mechanism and issue opinion letters and interpretive guidance that will take effect on July 1, 2025. If an entity is found in violation of the CPA, it can face a penalty of up to $20,000.
How To Prepare
The CPA doesn’t take effect until 2023, so it may seem like you have plenty of time to comply. However, as you focus on the growth of your business, effective dates have a way of sneaking up on you.
- Once you determine if your business falls within the scope of the law, begin to review and revise data privacy These policies will need to reflect personal data processing activities, notify consumers of new rights under the law, and identify methods consumers can use to exercise their rights.
- Make sure reasonable security measures are implemented and consistent with industry-recognized standards.
- If the processing of consumer data may present a heightened risk to the consumer, start developing a data protection assessment that will evaluate how you’ll process, sell, and use high-risk personal data.
- If you sell personal information, your business will need to establish a user-selected universal opt-out function that meets the standards outlined by the Attorney General by July 1, 2024.
- Businesses that collect sensitive, personal information (i.e. reveals racial or ethnic origins, religious beliefs, mental or physical conditions or diagnoses, sexual orientation, citizenship data, genetic or biometric data, or personal data from a known child), will need to implement a method to allow the consumer to obtain affirmative, informed, and clear consent for the collection of that data.
- Develop a system to accept, track, verify, and respond to consumer requests exercising their rights under the law. You’ll also need to develop a process to allow a consumer to appeal a decision made by the organization in response to the request.
- Ensure there’s adequate training and communication to employees about the new law, its requirements, and how to handle consumer requests in a timely and consistent manner.
Colorado won’t be the last state to enact a privacy law, as others will soon follow. Establishing a process now that will allow the business to adapt to new and changing laws is critical. Wolf will continue to monitor and provides updates as states enact new privacy laws.