Colorado Passes the Colorado Privacy Act Which Could Expand Obligations of Businesses to Colorado Consumers and Regulators

By Aloke S. Chakravarty, Chase Millea and Tony Caldwell

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, which, when it takes effect on July 1, 2023, will place affirmative obligations on entities that conduct business in Colorado (or intentionally target residents of Colorado), and either:

• Control or process the Personal Data (information that is linked or reasonably linkable to an identified or identifiable individual) of 100,000 or more Colorado residents during a calendar year; or
• Derive revenue or receive discounts from the sale of Personal Data and process or control the personal data of 25,000 or more Colorado residents.

The CPA does not apply to information that is collected by an entity that is otherwise regulated by certain state and federal laws and regulations, including the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), and the Children’s Online Privacy Protection Act (COPPA), and it does not apply to de-identified information or to Personal Data collected for certain other limited activities such as for employment purposes or business-to-business interactions.

Controllers and Processors of Personal Data

The CPA adopts several European Union General Data Protection Regulation (GDPR) concepts, such as classifying covered Companies that determine the purpose for and means of processing Personal Data as “Controllers.” Organizations that process Personal Data on behalf of Controllers are defined as “Processors.”

Accordingly, the CPA places various duties on Controllers as well as obligations on Processors to support Controllers in their compliance with the law. Significantly, the CPA requires controllers to conduct a Data Protection Assessment (DPA) and requires special opt-in provisions for handling of “sensitive” data. Borrowing from the GDPR, Processors must also be bound by an agreement with the Controller that sets out processing instructions, type and duration of the processing, and the following requirements:

• At the choice of Controller, the Processor must delete or return all Personal Data to the Controller unless retention is required by law; and
• The Processor must allow and contribute to reasonable audits and inspections by the Controller.

Privacy Notice

The CPA’s requirement for a Privacy Notice is in line with the transparency requirements of existing data privacy laws. Controllers must post a clear and conspicuous Privacy Notice that details their practices around the processing of Personal Data. The Privacy Notice must include:

• The categories of Personal Data collected;
• The purposes for which Personal Data is processed;
• How and where Consumers may exercise their rights; and
• The categories of third parties with whom Controller shares Personal Data.

Sales and Targeted Advertising

If a Controller sells Personal Data to third parties or processes Personal Data for targeted advertising, the Controller must clearly and conspicuously disclose the sale or processing on the Privacy Notice, and the manner in which the Consumer can opt out of such sale or processing.

Consumer Rights

The CPA grants Consumers rights that are similar to the GDPR and California Consumer Privacy Act (CCPA), and a Consumer may submit a request at any time to a Controller exercising any of the following, including their:

• Right to opt out of targeted advertising, the sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a Consumer;
• Right of access to confirm whether the Controller is Processing Personal Data about the Consumer, and to access such Personal Data;
• Right to correction to correct inaccuracies in their Personal Data;
• Right to deletion to delete Personal Data concerning the Consumer; and a
• Right to portability of the Consumer’s Personal Data.

Controllers are only obligated to support Consumer requests to exercise rights that the Controller can verify using commercially reasonably methods.

Liability and Enforcement

The CPA does not have a private right of action. However, both the Colorado Attorney General and respective state District Attorneys have civil enforcement authority, including jurisdiction to ensure that covered companies are complying with the DPA and other requirements. Importantly, there is a 60-day cure period for violations until 2025, unless modified.

Next Steps

As the effective date of the CPA approaches, organizations that hold or process identifiable information about Colorado residents should consider assessing whether the CPA applies to them and, if so, consider amending their practices to account for new requirements, including the development of a Privacy Notice and means to support Consumers to exercise rights to their Personal Data.

Denver partner Al Chakravarty, one of the leaders of Snell & Wilmer’s Cybersecurity, Data Protection and Privacy practice, successfully proposed amendments to the statute and testified before the Colorado legislature in support of companies doing business in Colorado.