In the summer of 2021, Colorado established the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023. The CPA is one of the comprehensive consumer privacy laws enacted by a state in the absence of Federal consumer privacy legislation.
Who is subject to the CPA?
The CPA applies to data “controllers”. A controller is “a person that, alone or jointly with others, determines the purposes for and means of processing sensitive data” and conducts business in Colorado or delivers products or services that are intentionally targeted to residents of Colorado. To be subject to the CPA, a controller does not need to be located in Colorado. “Personal data” as defined by the CPA is “information that is linked or reasonably linkable to an identified or identifiable individual … [and] does not include de-identified data or publicly available information.”
The controller must meet one or both of the following thresholds for the CPA to apply: (i) it controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or (ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.
Even if you do not meet the thresholds above, the CPA requires controllers to ensure processors of personal data collected meet the requirements of the CPA. Accordingly, if you are processing personal data on behalf of a controller that must comply with the CPA, per your contractual requirements with the controller, you will also need to comply with the CPA.
Under the CPA, a “consumer” includes Colorado residents acting only in an individual or household context. Colorado residents acting in a commercial or employment context are not in scope.
Who is exempt from the CPA?
The CPA is not applicable to certain businesses, such as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Additionally, the CPA does not apply to certain sensitive data sets, such as protected health information. The CPA is unique from other state consumer privacy laws in that nonprofit organizations are not exempt.
What are the consumer’s rights under the CPA?
Similar to other state consumer data privacy laws, the CPA grants comprehensive rights to consumers regarding their personal data security, including:
- Right of access;
- Right of correction;
- Right of deletion;
- Right to opt-out of processing for profiling/targeted advertising purposes, sale of personal data, and certain automated decision making; and
- Right of portability (receiving a copy of personal data).
What are the controller’s obligations under the Colorado Privacy Act regulations?
Under the CPA, controllers must, among other things, provide a privacy notice to consumers, conduct data protection assessments and riskassessments, and enter into written data processing agreement (DPA) with processors who perform certain services for the controller with respect to the personal data.
Are there penalties for failing to comply with the CPA?
Once the CPA goes into effect on July 1, 2023, the Colorado Attorney General and district attorneys will have the authority to enforce the law. Enforcement can include injunctive relief or monetary penalties. Initially, and until January 1, 2025, alleged violators will be given 60 days to cure the alleged violation(s).
January 2023 Update
When the CPA was signed into law, the Colorado Attorney General was tasked with implementing the CPA, including drafting and adopting new rules. The new rules must be in place by the July 1st effective date. An updated version of the draft rules was posted on December 21, 2022 and a public hearing will be held on February 1, 2023. The current version of the draft rules clarifies, among other things, how controllers must enable a consumer to exercise their opt-out rights, how a controller responds to and complies with consumer requests, and what should appear in a privacy notice and how a controller should advise consumers of changes to the privacy notice.