Certain Colorado companies and others targeting Coloradans will soon be subject to the newly enacted Colorado Privacy Act (“CPA”), signed into law by Gov. Jared Polis on July 8, 2021. Colorado joins California and Virginia as the third state to enact its own comprehensive consumer data privacy legislation.

Who must comply with the new CPA rules?
Starting on July 31, 2023, businesses will be subject to the CPA if they are located in Colorado or intentionally target Colorado consumers, and either: (1) control or process personal data of more than 100,000 Colorado consumers per calendar year; or (2) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 Colorado consumers, unless they meet one of several exemptions. The law applies directly to both “controllers” and “processors,” meaning that the law may apply directly to some out of state service providers that agree to handle data subject to the CPA. However, the CPA does include broad exemptions for companies and data that are subject to specific state and federal laws, such as HIPAA, GLBA, the FCRA, COPPA, and FERPA, as well as data processed in connection with employment and in business-to-business contexts.

To what data does the CPA apply?
The CPA applies to “personal data,” which is defined broadly as information that is linked or reasonably linkable to an identified or identifiable individual. As with other recent privacy laws, there are also specific requirements for sensitive data, such as data relating to biometrics, race, ethnic origin, religious beliefs, mental/physical health, sex life/sexual orientation, or citizenship status.

The law exempts from its requirements data that is de-identified, and defines specific criteria that must be met in order for data to be considered de-identified. Uniquely, the CPA also has specific requirements relating to the handling of ‘pseudonymized’ data, which was sometimes unclear under other state privacy laws. The CPA also exempts certain publicly available data that has either been made available through government records, or that the consumer made available to the public.

What rights does the CPA give consumers?
Although the CPA does provide consumers with many of the same rights available under the California and Virginia privacy laws, there are some important differences, which will require the implementation of new procedures. Colorado’s consumer rights fall into five main categories, described below. As in other states, these rights may be enforced by the individual directly, or through an agent:

1. Opt out. Consumers can opt out of the processing of their personal data for purposes of:

a. targeted advertising;
b. the sale of personal data (defined broadly to include most exchanges of personal data for monetary gain or other valuable consideration), or
c. profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

2. Access rights. Consumers may obtain a copy of  personal data and confirm if a company is using or otherwise processing their data.

3. Correction. Consumers can correct inaccuracies in their personal data.

4. Deletion. Consumers may request the deletion of their personal data.

5. Portability. Consumers have the right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.

What are companies’ duties and obligations?
The CPA’s requirements are broadly similar to the rights under CCPA/CPRA, and GDPR. Generally, the CPA includes the following core requirements:

  • Transparency. Provide a transparent, clear, and meaningful privacy notice to ensure that it is easy to understand, meaningful to consumers, and in compliance with the CPA.
  • Purpose Specification. Limit processing to what is necessary and appropriate for the specified purpose.
  • Minimization. Only collect data that is adequate, relevant, and limited to what is necessary for the specified purpose.
  • Consent to Secondary Use. Avoid using personal data beyond what was disclosed to the customer, except with prior consent.
  • Care. Implement reasonable measures to protect against unauthorized acquisition.
  • Nondiscrimination. Duty not to unlawfully discriminate.
  • Impact Assessments. Companies must conduct data protection assessments prior to engaging in targeted advertising, profiling, and when processing presents high risks to consumers.
  • Vendor Management. Companies must enter into data processing contracts with subcontractors, requiring them to protect personal data, assist in data rights compliance, and process personal data only for specified purposes.

How could this impact my business?
If your company is subject to the CPA, you must be sure that you understand all of the personal data collected or otherwise processed by your company, where it is throughout its lifecycle, who has access to it for what purpose, and which vendors may interact with the data. You may need to implement new procedures to respond to consumer data rights requests (typically within 45 days). Companies will likely need to update their privacy notices, as well as their contracts with service providers and others, and implement opt-out mechanisms and related notices, as needed. Companies who run afoul of the CPA may be fined up to $20,000 per violation.

Who can enforce this new law?
The CPA does not allow for a private right of action. Only the Colorado Attorney General and District Attorneys may bring enforcement actions. Additionally, the CPA authorizes the attorney general to promulgate rules relating to certain aspects of the CPA. Giving a nod to how difficult a pivot to compliance may be in Colorado, companies will have a 60-day time period to cure a violation of the CPA until January 1, 2025. However, the cure period expires on January 1, 2025.

For additional information on Dorsey’s Cybersecurity, Privacy and Social Media practice, click here.