On June 8, 2021, the Colorado General Assembly passed the Colorado Privacy Act (“CPA”). If signed by Governor Jared Polis, Colorado will join California and Virginia as only the third state of the Union to pass comprehensive data privacy legislation. Following in the footsteps of the California Consumer Privacy Act (“CCPA”) and Virginia’s Consumer Data Protection Act (“CDPA”), the CPA will establish certain consumer data privacy rights and obligate businesses to protect consumer personal data. Similar to the CDPA, enforcement of the CPA will not begin until July 1, 2023. However, if passed into law, it is important for businesses to soon consider implementing CPA compliance measures.
What are the key requirements of the CPA?
Colorado Privacy Law Details
The CPA would apply to “legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents” and that also satisfy at least one of the following criteria: 1) control or process the personal data of more than 100,000 consumers in a calendar year; or 2) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. Personal data protected by certain federal laws, such as the Gramm-Leach-Bliley Act, and health and patient information covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) will be exempt from the Colorado privacy law.
Similar to the CDPA, the CPA defines “Personal Data” as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition excludes de-identified or publicly available information.
Consumer Rights and Enforcement
The CPA includes a number of consumer privacy rights that are included in the CCPA. For example, the CPA affords consumers the right to: 1) opt out of the processing of their personal data; 2) access, correct or delete their data; and 3) obtain a portable copy of their data. Akin to the EU’s General Data Privacy Regulation (“GDPR”), the CPA draws a distinction between a “controller” and a “processor.” The CPA defines a “controller” as “a person that, alone or jointly with others, determines the purposes and means of processing personal data.” A “processor” is just that, a person that processes personal data on behalf of a controller. If signed into law, controllers would be required to conduct a data protection assessment for activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or the processing of sensitive data. “Sensitive data” includes, in part, personal data that reveals racial or ethnic origin, citizenship, genetic or biometric data and the personal data of children.
The CPA does not include a private right of action for consumers, vesting Colorado privacy law enforcement exclusively in the Colorado Attorney General’s Office and the respective offices of the District Attorneys. Parties that violate the CPA would face penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Companies would first be notified of alleged violations by the Colorado Attorney General’s Office or District Attorneys. After receiving notice, companies would have sixty (60) days to cure the alleged violations. Similar to the CCPA, the CPA would allow the Colorado Attorney General’s Office to adopt rules relating to the technical specifications for universal opt-out mechanisms. These rules would need to be adopted by no later than July 1, 2023. Businesses should continue to monitor the CPA and other state-specific data privacy laws to avoid investigation and significant fines.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: