On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The CPA will take effect on July 1, 2023 and joins the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and Virginia Consumer Data Protection Act (“VCDPA”) on a growing list of comprehensive state data privacy laws in the United States.
The CPA features CCPA, CPRA, and VCDPA-like compliance obligations — including providing notice of processing activities and offering data subject rights. The law also mirrors some requirements from the EU’s General Data Protection Regulation (“GDPR”), such as prescriptive data processing agreements, opt-in consent for processing sensitive personal information, limitations on profiling, and data protection assessments.
The CPA does not provide for a private right of action for violations of the law.
The CPA’s Scope
The CPA’s compliance obligations apply primarily to “controllers” (defined as entities that determine the purpose and means of processing personal data) that (a) conduct business in Colorado or intentionally target Colorado residents with commercial products and services, and (b) either:
i. Control or process the personal data of at least 100,000 Colorado consumers in a calendar year; or
ii. Derive any revenue or receive discounts on goods or services from the sale of personal data and process or control the personal data of at least 25,000 Colorado consumers.
Because the CPA does not define the terms “conducting business” in Colorado or “intentionally targeting” Colorado residents, the law’s applicability to companies that don’t have a significant presence in the state will require further analysis. A high-level review of Colorado statutes and case law suggests that the state may have a narrow view of its jurisdiction over “foreign” corporations — those not based in Colorado.
The law includes scope limitations found in other state privacy laws. The CPA does not apply to (or has very limited requirements for) personal data of employees or business contacts; information regulated by HIPAA, GLBA, COPPA, FERPA, and FCRA; de-identified and pseudonymous data; and publicly available information.
Key Obligations
Privacy Notice
Controllers have a duty of transparency and must provide consumers with an accessible, clear, and meaningful privacy notice. The privacy notice must describe the categories of personal data collected, the purposes for which personal data is processed, how personal data is shared with third parties, and how consumers may exercise privacy rights.
Purpose Specification and Secondary Use Processing
The CPA requires controllers to specify the purposes of processing personal data in the controller’s privacy notice, and prohibits controllers from processing personal data for reasons that are unrelated to that specified purpose, without the consumer’s consent.
Processing of Sensitive Personal Data
The CPA requires controllers to obtain the affirmative consent of the consumer prior to processing sensitive data. The law defines sensitive data as data revealing racial or ethnic origin, religious beliefs, health conditions or diagnosis, sexual orientation, citizenship status, genetic or biometric data, or personal data from a known child.
Consent and Dark Pattern Prohibitions
The CPA will prohibit controllers from using “dark patterns” to obtain user consent. Dark patterns are user interfaces designed or manipulated to subvert or impair user autonomy, decision making, or choice. The CPA’s ban of dark patterns is aligned with the FTC’s and other agencies efforts to address the use of dark patterns.
Consumer Privacy Rights
The CPA provides consumers with the rights of access, correction, deletion, and data portability. Consumers also have the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Companies that process personal data for targeted advertising or the sale of personal data are required to accept opt-outs from a universal mechanism by July 1, 2024, and the Colorado attorney general will adopt rules by July 1, 2023 that detail the universal mechanism’s technical specifications. Until universal opt-out mechanisms are required, controllers must clearly provide a method for Colorado consumers to exercise their right to opt out of the sale of personal data and targeted advertising in their privacy notices and in a readily accessible location outside the privacy notice.
The CPA exempts trade secrets from disclosure in response to consumers’ data subject requests, which is equivalent to the CCPA/CPRA exemption in California.
Data Protection Assessments
The CPA requires controllers to conduct and document data protection assessments prior to the processing of personal data that presents a “heightened risk of harm to the consumer.” This includes the processing of sensitive data, processing personal data for the purposes of targeted advertising, and selling personal data.
Processor DPAs
Where controllers engage processors, the parties must enter into data processing agreements (“DPAs”) that must include a description of the data processed, the duration of processing, confidentiality requirements, restrictions on sub-processing, security provisions, and audit provisions.
Enforcement and Penalties — No Private Right of Action
The CPA goes into effect on July 1, 2023 and will be enforced by the Colorado attorney general and district attorneys. A violation of the CPA will constitute a deceptive trade practice under Colorado law, and will be subject to injunctive and civil penalties of not more than $20,000 for each violation. To help businesses comply with the law, the Colorado attorney general is authorized to issue opinion letters and interpretive guidance.
The CPA does not provide for a private right of action for violations of the law, which means that consumers cannot easily organize into class action litigation. The CPA also provides businesses with a 60 day right to cure period following receipt of a notice of violation. However, this provision expires on January 1, 2025.
What’s Next?
The Colorado governor and legislature have already indicated that a clean-up bill will be necessary to address several outstanding issues and gaps in the CPA.
However, in the absence of federal privacy legislation, businesses will once again be tasked with building scalable and actionable privacy programs around America’s patchwork of data privacy regulation. Businesses that operate nationally may find themselves looking for common denominators across state privacy laws, and be required to adhere to the strictest shared provisions.