The omnibus Colorado Privacy Act was signed into law with an effective date of July 1, 2023. Like the privacy laws passed in California and Virginia, there are a lot of details to review.
Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements.
Similarities include consumer rights, privacy notices, and opt-outs of certain processing activities, such as the sale of personal data.
Differences Between the Colorado Privacy Act and Other Omnibus Privacy Laws in the U.S.
It is easy to see the similarities and differences between other state omnibus privacy laws.
Like Virginia, Colorado adopts many of the concepts of the European Union’s General Data Protection Regulation, such as controllers and processors.
Controllers are “a person that, alone or jointly, determines the purposes for and means of processing personal data.”
Likewise, a processor “processes personal data on behalf of a controller.”
However, Colorado provides instruction on when processors become controllers through their actions.
Colorado makes it clear that the determination of controller and processor is “a fact-based determination that depends on the context in which personal data are to be processed” (s. 6-1-1305(7)).
A processor who doesn’t follow the controller’s instructions in the contract is then considered a controller, subject to controller requirements.
Personal data is “information that is linked or reasonably could be linked to an identified or identifiable individual” but does not include de-identified or publicly available information.
Another key term is consumers.
Consumers are Colorado residents, “acting only in an individual or household context,” but not “in a commercial [B2B] or employment context, as a job applicant, or the beneficiary of someone acting in an employment context.”
Who is subject to the Colorado Privacy Act?
The Colorado Privacy Act (CPA) applies to controllers who conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents plus one of the following two items:
- Controls or processes the personal data of 100,000 consumers or more during a calendar year or
- Derives revenue or receives a discount on the price of goods and services from the sale of personal data and processes or controls the personal data of at least 25,000 consumers – Colorado residents, but not B2B or employment contexts.
The CPA definition of “sale” is similar to California in that it is not limited to a pure monetary exchange for personal data, but includes “other valuable consideration.”
There are exceptions, such as disclosures from controllers to processors for activities on the controller’s behalf, requested by consumers, or in furtherance of mergers and acquisitions.
It also excludes intentional disclosures by consumers such as using the controller to interact with third parties or to the general public using mass media.
There are also broad exceptions to the CPA in general, such as the CPA does not apply to to protected health information under the Health Insurance Portability and Accountability Act, or personal data regulated under the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, or the Family Educational Rights Act.
There is no private right of action in the CPA and it specifies that violations of the CPA cannot be used as the basis to support private rights of actions under other laws.
The Attorney General and District Attorneys have exclusive authority to enforce which can include injunctions, settlements, and penalties.
Penalties can reach up to $2,000 for each violation, which is for each consumer or transaction, not to exceed $500,000 for any related series of violations.
Section 6 of Colorado Revised Statutes addresses Consumer and Commercial Affairs, covering myriad topics from fair trade to health care coverage cooperatives.
The Colorado Consumer Protection Act is included under Article 1 – Fair Trade and Restraint of Trade, which also includes the Notification of Security Breach under part 7, specific provisions.
Once in effect, the AG or district attorneys may issue a notice of violation of the CPA prior to bringing enforcement action if they think the violation can be cured and allow 60 days to do so.
This is only permitted during the first year and a half. On January 1, 2025, the optional notice and time to cure are repealed.
Consumer Rights Under the Colorado Privacy Act
Like most privacy laws, the CPA provides for consumer rights (section 6-1-1306), such as access, correction, deletion, and portability.
Access includes the right to know if a controller is processing the consumer’s data, like Virginia provides.
The right to portability provides the ability for the consumer to receive the data in their right to access in a portable and machine-readable format, where technically feasible, that enables consumers to transmit the data to another entity without hindrance.
Controllers are not required to provide information that discloses trade secrets.
Consumers may only exercise the right to data portability twice per calendar year. California has a similar provision, related to certain rights (under sections 1798.110 and 1798.115), but with a significant difference.
Under California a business may refuse to grant the request more than twice in a twelve-month period. Although subtle, these differences must be operationalized.
There are other operational requirements, such as providing a method for consumers to submit rights requests in a manner consistent with normal interactions with the controllers and verifying authentication of the requests.
Controllers are not permitted to require consumers to create accounts to submit requests but may require requests to be submitted through existing accounts.
Responding to Consumer Requests
Controllers must respond to consumer requests without undue delay and no later than 45 days after receiving the request.
The timeframe may be extended to an additional 45 days, taking into account the complexity and number of requests, as long as the consumer is notified within the first 45 days and informed of the reasons for the delay.
If the request is denied, controllers must provide the determination within 45 days after receiving the request along with the reasons for the determination and how to appeal the decision within.
Controllers shall grant requests for free once annually.
They can charge for the second or subsequent request within 12 months, at 25 cents per page for paper or the actual cost to produce the electronic copy.
Note that the 12-month period does not necessarily correlate with the calendar year restriction on requests – another subtle difference that needs to be operationalized.
If unable to authenticate the request, the controller can ask for additional information to do so. They are not required to respond to unauthenticated requests.
Controllers must establish an internal appeals process for consumers who wish to do so upon their request being denied. The appeals process should be easy to find and request.
Controllers must respond to an appeal within 45 days with a written explanation.
This timeframe may be extended up to 60 additional days under the same extension requirements (reasonable given complexity and number of requests, notified within the first 45 days, including the reason for delay).
The appeals response must include information on how the consumer can contact the Attorney General with concerns.
Privacy Notice Requirements and Special Categories of Data Processing
Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes
- The categories of personal data collected or processed by the controller or a processor,
- The purposes for which the categories of personal data are processed,
- How and where consumers may exercise the rights including the controller’s contact information and how a consumer may appeal a controllers action in regard to the request,
- The categories of personal data that the controller shares with their parties, if any,
- The categories of third parties, if any, to whom the controller shares personal data, and
- If applicable, whether personal data is sold or used for targeted advertising along with how consumers can opt out of those activities.
Even though it is not an explicit requirement under the CPA to document data processing activities, the privacy notice disclosures require that controllers identify their processing activities, from collection of personal data through disclosure to third parties.
Special Processing Activities and Consent
Controllers must offer convenient methods for consumers to opt out of having their data processed for targeted advertising, sales of personal data (taking into account the broad definition of sell), and profiling that carries significant consequences for consumers.
The latter is reminiscent of the GDPR, but Colorado specifies what the significant consequences are that trigger the ability to opt out of profiling along with defining “profiling.”
Profiling “means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Legal or significant effects that may come from profiling are specified as decisions that result in “the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.”
Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affiliated websites, applications, or online services to predict consumer preferences or interest.
It does include processing personal data solely for advertising performance, reach, or frequency metrics.
Targeted advertising also does not include advertisements:
- in response to a request for information or feedback,
- based on activities within a controller’s own websites or application, or
- based on a current search query, website visit, or online application.
Opt out methods
Controllers must provide a clear and conspicuous method for consumers (or their authorized agents) to opt out both in any required privacy notice and in a clear and conspicuous and readily accessible location outside the privacy notice.
Interestingly, the “authorized agents” may indicate the consumers’ intent through links indicating a preference, browser settings or extensions, or global device settings.
Indeed, the technology designed and operated by entities may be deemed authorized agents, according to the language, thereby eliminating complex authorization confirmation protocols, such as notarized appointment letters.
Colorado requires the Attorney General’s office to establish technical specifications for universal opt-out mechanisms.
These mechanisms are optional until July 1, 2024, after which controllers must offer consumers the ability to opt out of targeted advertising, sales of personal data, and profiling using universal opt-out mechanisms.
However, consumer consents to such options if provided appropriately, take precedence over the choices in the universal opt out mechanisms.
Consent may be obtained through webpages, applications, or similar technology and provides clear and conspicuous notice about the choices available, categories of personal data collected and the purposes and providing how and where consumers may also revoke such consent.
The withdrawal of consent must be available as easily as the consent was given – another concept directly from the GDPR.
- hovering over,
- or closing a given piece of content (so no implicit consent),
- or agreement obtained through dark patterns – defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.
Responsibilities of Controllers, Processors, and Contracts
The obligations on each party are not uncommon.
The controller and processor must be bound by written contracts and are each responsible for only the measures allocated to them, which must be clearly documented.
The CPA requires that controllers follow certain requirements, most presented as duties. One of the newer requirements is a specific requirement around secondary use of personal data.
Duty of transparency
Controllers must provide a privacy notice as listed above, comprising details about the personal data processed, consumer rights and how to opt out of certain activities, contact information, categories of third parties to which data is shared or sold (given the broad definition of sell).
Controllers are also not permitted to change the cost of availability of a product or service based on consumers exercising their rights.
Duty of purpose specification
A controller shall specify the express purpose is for which personal data are collected and processed.
Duty of data minimization
The collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.
Duty to avoid secondary use
A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.
Duty of care
Controllers must take reasonable measures to secure personal data from unauthorized acquisition during both storage and use.
The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
Duty to avoid unlawful discrimination
Controllers shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
As noted above, controllers are also not permitted to change the cost or availability of services or products in relation to consumers exercising their rights – which is what the CCPA provides as their right to non-discrimination.
Duty regarding sensitive data
A controller shall not process sensitive data without first obtaining the consumer’s consent or process personal data concerning a known child without obtaining consent from the parent or guardian.
Data from children
Sensitive data includes that of children (under the age of 13).
Definition of sensitive data
Sensitive data includes personal data revealing racial or ethinic origin, religious beliefs, a mental of physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or personal data from a known child.
Data Protection Assessments
A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment on each processing activity that involves personal data acquired on or after the effective date.
Heightened risk of harm includes:
- Selling personal data
- Processing sensitive data
- Processing personal data for targeted advertising or profiling if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or unlawful despair impact on consumers,
- financial or physical injury to Consumers,
- physical or other intrusion upon the Solitude or seclusion of the Private Affairs or concerns of consumers if the intrusion would be offensive to a reason or purpose a reasonable person, or
- other substantial injuries to consumers.
Data protection assessments must identify and weigh the benefits, both direct and indirect, to itself, the consumers, other stakeholders, and the public against the potential risks to the rights of the consumer.
The assessments should consider the safeguards that can reduce risks, including the use of de-identified data, expectations of consumers, and the relationship between the consumers and the controller.
These assessments must be provided to the Attorney General upon request, but the CPA states that the AG can use these assessments to determine compliance with any laws.
On the positive side, a single data protection assessment can be used for processing activities that are similar.
Data protection assessment requirements apply to processing activities created or generated after July 1, 2023 and are not retroactive.
- Adhere to the instructions of the controllers, including nature and purpose of processing along with type of personal data and duration of processing,
- Assist controllers in meeting their obligations regarding:
- consumer rights requests,
- security measures,
- breach notification, and
- data protection assessments
- Ensure each person accessing personal data are under confidentiality provisions
- Engage subprocessors only after giving controllers an opportunity to object and require written contract with the same obligations that apply to the processor, and
- Implement technical and organizational security measures based on risk and allocate responsibility between the parties.
Contracts between controllers and processors must include:
- The elements listed above, plus
- Return or delete data at termination unless required by law to retain (optional),
- Processor to provide controller documentation to demonstrate compliance, and
- Audit/audit report requirements
Contracts are not permitted to reduce or eliminate liabilities on either party imposed by the CPA.