On June 7, 2021, the Colorado House of Representatives passed the Colorado Privacy Act (CPA), a comprehensive privacy law similar to the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA), as well as Virginia’s Consumer Data Protection Act (CDPA). Shortly after, on June 8, the Colorado Senate passed the amended House version of the bill, which means that the CPA will be sent to the governor for his signature.
We summarize the key provisions of the CPA below. Assuming the Colorado governor signs the bill into law, most of it will take effect on July 1, 2023. (Certain provisions will not go into effect until July 1, 2024).
At a high level, the CPA’s requirements are generally in line with those imposed by the CDPA, and they largely resemble those in the CPRA as well. The CPA and CDPA share the controller/processor distinction created by the EU’s General Data Protection Regulation (GDPR), and they grant consumers a specific set of rights, including rights to access, delete and correct their personal data, as well as the right to opt out of the processing of their personal data for certain specified purposes. Like the CDPA, the law contains no private right of action and is enforceable only by the attorney general; unlike the CCPA/CPRA, there is no private right of action for data breaches.
Summary of Key Provisions of CPA
- Applicability. The CPA applies to “controllers” that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and meet one of the following thresholds: 1) control or process the personal data of 100,000 or more Colorado residents or 2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents. This is similar to the scope provision in Virginia’s CDPA, though broader, since the CDPA requires for the second threshold that the business derive over 50 percent of its gross revenue from the sale of personal data. The CPA’s scope is narrower than that of the CCPA/CPRA, since the CCPA and CPRA also include a third threshold for businesses that have annual revenues of over $25 million. Notably, the definition of a “consumer” under the CPA excludes individuals acting in a commercial or employment context, similar to the CDPA. (The CCPA/CPRA also have B2B and employment exemptions, except they are treated slightly differently).
- Exemptions. Like the CCPA/CPRA and CDPA, the CPA contains numerous exemptions for information that is already regulated under other federal laws, including HIPAA, GLBA, FCRA, COPPA and FERPA (among others). A key distinction between the CPA and Virginia’s CDPA (and a similarity between the CPA and the CCPA/CPRA) is that the CPA does not have entity-wide exemptions for Covered Entities and Business Associates under HIPAA. Instead, it exempts protected health information as defined by HIPAA (along with other regulated health information). The CPA does, however, have an entity-wide exemption for financial institutions and their affiliates regulated under the GLBA.
- Enforcement. The CPA is only enforceable by the Colorado attorney general and by district attorneys. Like Virginia’s CDPA, it does not have any private right of action. Similar to the CCPA/CPRA and CDPA, the CPA provides companies with a “right to cure.” However, this provision is set to expire on January 1, 2025. The bill does not identify specific penalty amounts, but it states that violations of the law are enforceable as deceptive trade practices.
- Broad definition of personal data. The CPA adopts a definition of “personal data” identical to that in the CDPA, which is “information that is linked or reasonably linkable to an identified or identifiable individual.” (The CCPA/CPRA include specific categories of information regulated as personal information, while the CDPA and CPA do not). Like the other laws discussed, the CPA excludes de-identified and publicly available information (and specifically defines both).
- Regulation of sensitive data. Like the CPRA and CDPA, the CPA has special protections for sensitive data, which it defines as 1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; 2) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or 3) personal data from a known child. In general, sensitive data may not be processed without the consent of the consumer.
- Right to opt-out. The CPA provides consumers with the right to opt out of processing of personal data for the following purposes: 1) targeted advertising; 2) sale; and 3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. This is identical to the opt-out provision in Virginia’s CDPA.
- Other individual rights. Like the other privacy laws, the CPA creates a number of individual rights for consumers, including 1) the right to request deletion of their personal data; 2) the right to access their personal data; 3) the right to correct their personal data; and 4) the right to data portability.
- Processing obligations for controllers. Similar to the CDPA, the CPA creates a number of specific processing duties for controllers. These duties include 1) a duty of transparency; 2) a duty of purpose specification; 3) a duty of data minimization; 4) a duty to avoid secondary use; 5) a duty of care; 6) a duty to avoid unlawful discrimination; and 7) a duty to process sensitive data only with consumer consent.
- Contracting obligations for processors. As the CCPA/CPRA require and the CDPA contemplates, the relationship between a controller and processor must be governed by a contract that sets out the nature and purpose of the processing, and that includes the following requirements: 1) the processor must delete or return all personal data to the controller at the end of the contract, and 2) the processor must cooperate with audits by the controller to verify compliance with the law.
- Data protection impact assessments. Like the CDPA and CPRA, the CPA requires companies to conduct data protection impact assessments for certain use cases, including 1) targeted advertising or profiling (that creates specific risks for consumers); 2) selling personal data; and 3) processing sensitive data.
- Rulemaking. Similar to the CCPA/CPRA (but unlike the CDPA), the CPA gives the attorney general broad rulemaking authority.
- Universal opt-out. Beginning on July 1, 2024, controllers that process personal data for the purposes of targeted advertising or the sale of personal data must provide consumers with the ability to opt out through a “universal opt-out mechanism.” Additionally, the CPA specifies that by July 1, 2023, the attorney general must adopt rules detailing the technical specifications for a “universal opt-out” that controllers are required to use.
Companies that do business in Colorado should continue to monitor the CPA and should consider what additional compliance steps may be necessary, in addition to existing CCPA/CPRA and CDPA compliance efforts. We will keep you updated with the latest developments with the CPA, including if and when it is signed into law.