Colorado Enacts Comprehensive Privacy Legislation

July.15.2021

Colorado is the third U.S. state to enact comprehensive consumer data privacy legislation with the passage of the Colorado Privacy Act (CPA) on July 7, 2021. The CPA will go into effect July 1, 2023, joining the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) in the steadily growing patchwork of state-enacted consumer data privacy legislation. The CPA’s key provisions are summarized below. However, we can expect the law may undergo further change before the effective date. In the signing statement, Colorado Governor Jared Polis noted the hastily drafted bill will require clean-up legislation to “strike the appropriate balance between consumer protection and not stifling innovation” and acknowledged that the bill’s sponsors are already working with key stakeholders to draft the updated bill.

Who is Required to Comply?

Controllers and Processors

The CPA applies to controllers that conduct business in Colorado or produce/deliver commercial products or services that are intentionally targeted to Colorado residents and meet one of the following thresholds:

1) control or process the personal data of 100,000 or more Colorado residents per calendar year;

2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. § 6-1-1304.

While this definition of controller does not include Colorado government entities, it does encompass nonprofit organizations, making its scope broader than the VCDPA and CPRA in this respect.

Like the European Union’s General Data Protection Regulation (GDPR) and Virginia’s Consumer Data Protection Act (VCDPA), the CPA distinguishes between controllers and processors:

A controller is a person that, alone or jointly with others, determines the purposes for and means of processing personal data. § 6-1-1303(7).
A processor means a person that processes personal data on behalf of a controller.
§ 6-1-1303(19).

Statutory Exemptions

Through the definition of “consumer” (i.e., “an individual who is a Colorado resident acting only in an individual or household context”) and other provisions, the CPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context. § 6-1-1303(6)(a)-(b);

§ 6-1-1304(2)(k). The CPA, like the VCDPA, does not provide a sunset period for this exemption.

Like the CPRA and VCDPA, the CPA also provides for several exemptions for information that is already regulated under federal law, including HIPPA, GLBA, FRCA, FERPA and more.

What Information is Protected?

Personal Data

The CPA protects “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” § 6-1-1303(17)(a)-(b).

The CPA also protects “Sensitive Data” as a separate category of personal data, which includes: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. § 6-1-1303(24). In contrast to the VCDPA and CPRA, the CPA’s definition of sensitive data does not include precise geolocation data.

Personal data under the CPA does not include:

De-identified Data, which is data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual. § 6-1-1303(11).
Publicly Available Information, which is information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public. § 6-1-1303(17)(b).

What Obligations Do Controllers Have?

The CPA creates several specific processing duties for controllers, including:

Duty of Transparency: Provide a reasonably accessible, clear, and meaningful privacy notice to consumers about the controller’s privacy practices and consumer’s rights. § 6-1-1308(1)(a).
Duty of Purpose Specification: Specify express purposes for which personal data are collected and processed. § 6-1-1308(2).
Duty of Data Minimization: Limit the collection of personal data what is adequate, relevant, and reasonably necessary in relation to specified purposes. § 6-1-1308(3).
Duty to Avoid Secondary Use: Not process personal data for purposes that aren’t reasonably necessary to or compatible with specified purposes unless the controller first obtains consumer consent. § 6-1-1308(4).
Duty of Care: Take reasonable measures to secure personal data during storage and use from unauthorized acquisition. § 6-1-1308(5).
Duty to Avoid Unlawful Discrimination: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination. § 6-1-1308(6).
Duty Regarding Sensitive Data: Not process sensitive data without first obtaining the consumer’s consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian. § 6-1-1308(7).
Data Protection Assessments: Conduct and document a data protection assessment for each personal data processing activity that presents a heightened risk of harm to consumers. Data protection assessments must be made available to the Attorney General upon request. These requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive. § 6-1-1309(6). A “heightened risk of harm to a consumer” includes:

The processing of personal data for purposes of targeted advertising;
The processing of personal data for purposes of profiling if profiling presents reasonably foreseeable risk of 1) unfair or deceptive treatment or disparate impact of consumers, 2) financial or physical injury to consumers, 3) physical or other intrusion on privacy of consumers, or 4) other substantial injury to consumers;
The sale of personal data; and
The processing of sensitive data. § 6-1-1309(2)(a)-(c).

Avoid Dark Patterns: The CPA follows the trend to legislate against dark patterns, meaning “a user interface designed or manipulated with the substantial effect of subverting or impairing autonomy, decision-making or choice.” § 6-1-1303(9). Using language substantially identical to the CPRA, the CPA specifies that consent is not valid if obtained through “dark patterns.” § 6-1-1303(5)

What Obligations Do Processors Have?

The CPA creates obligations for processors to:

Comply and Assist: Abide by the instructions of a controller and assist the controller to meet its obligations by: § 6-1-1305(2).
- Enacting appropriate technical and organizational measures;
- Helping in relation to the security of processing personal data and notification of a breach of security of the system; and
- Providing information necessary for data protection assessments. § 6-1-1305(2)(a)-(c).
Ensure Confidentiality: Ensure each person processing personal data is subject to a duty of confidentiality. § 6-1-1305(3)(a).
Ensure Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of responsibilities between the controller and processor. § 6-1-1305(4).
Subcontractor Contracts: Engage a subcontractor only after providing the controller with an opportunity to object and require through a written contract that the subcontractor will meet the processor’s obligations with respect to personal data. § 6-1-1305(3)(b).
Controller Contracts: Processing must be governed by a contract binding on both parties that sets out (1) processing instructions, (2) types of personal data subject to processing and duration of processing, and (3) other requirements imposed by the CPA. § 6-1-1305(5).

What Rights Are Granted to Consumers?

The CPA requires controllers to comply with authenticated request to exercise the following rights:

Right of Access: To confirm whether a controller is processing personal data and to access such personal data. § 6-1-1306(1)(b).
Right to Data Portability: To obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another entity. A consumer may exercise this right now more than twice per calendar year.
§ 6-1-1306(1)(e).
Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into consideration the nature of the personal data and the purposes of the processing of the personal data. § 6-1-1306(1)(c).
Right to Opt Out: To opt out of the processing of personal data for purposes of (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 6-1-1306(1)(a)(I). The CPA’s provision of a right to opt out is identical to the VCDPA’s right to opt out.
Right to Universal Opt-Out Mechanism: Effective July 1, 2024, controllers that process personal data for the purposes of targeted advertising or sale must allow consumers to exercise the right to opt out through a user-selected universal opt-out mechanism. § 6-1-1306(1)(a)(IV)(B). The Attorney General is directed to adopt rules that clarify the technical specifications for such an opt-out mechanism by July 1, 2023. § 6-1-1313(2).
Right to Deletion: To delete personal data concerning the consumer. § 6-1-1306(1)(d).

The CPA obligation to respond to consumer requests aligns with the CCPA with respect to timing (45 days with option to extent), limited obligation to respond to more than one request in a 12-month period, and the need to authenticate the consumer’s request. The CPA mirrors the VCDPA’s unique approach in adopting a statutory right to appeal. § 6-1-1306(3). The bill requires that controllers establish internal processes for consumers to appeal a refusal to act on a request to exercise any of the rights above. The appeal process must be made readily available and as easy to use as the process for submitting a request. Furthermore, the CPA mandates that controllers inform the consumer of their ability to contact the Attorney General if the consumer has any concerns regarding the result of an appeal.

The consumer rights above do not apply to pseudonymous data if (1) the controller can demonstrate that the information necessary to identify the consumer is kept separately and (2) is subject to effective technical and organizational controls that prevent the controller from accessing such information.
§ 6-1-1307(3).

How is the Law Enforced?

The CPA does not provide for a private right of action. The Colorado Attorney General and District Attorney’s have the exclusive authority to enforce the CPA by injunctive relief and civil penalties.

§ 6-1-1311. The bill provides that violations of the law will be enforceable as per se deceptive trade practices. § 6-1-1311(c). Thus, under Colorado consumer protection law, violations of the CPA can carry penalties of up $20,000 for each violation, where each consumer involved constitutes a separate violation, with a maximum penalty of $500,000 for any related series of violations. § 6-1-112.

The Act also provides a 60-day right to cure provision that sunsets on January 1, 2025. § 6-1-1311(2)(d). This is more in line with the CPRA, which removed the CCPA’s 30-day right to cure ordinary violations of the law, than the VCDPA that provides a 30-day right to cure provision with no sunset provision.

Rulemaking authority. Further, the Attorney General is granted rulemaking authority regarding the issuance of opinion letters and interpretive guidance, which shall include a good faith reliance defense for businesses. These rules must become effective by July 1, 2025. § 6-1-1313(3).

The CPA also preempts “laws, ordinances, resolutions or the equivalent adopted by any statutory or home rule municipality, county, or city regarding the processing of personal data by controllers and processors.” § 6-1-1312.

Conclusion

Colorado is one step away from becoming the third U.S. state to enact comprehensive consumer data privacy legislation, following in the footsteps of California and Virginia. The majority of the CPA will become effective on July 1, 2023, though certain provisions will not go into effect until July 1, 2024. Keep an eye out for additional legislative updates as a number of states wind down their legislative sessions.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence (AI)

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence (AI)
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the United States, including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws
U.S. artificial intelligence laws

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR), the ePrivacy Directive (ePD), and the EU Artificial Intelligence Act.

Nick helps clients develop flexible governance frameworks for the development and use of artificial intelligence in the face of ever evolving AI legislation. He also advises clients on strategies, policies and procedures for the sourcing of AI training data, the responsible use of AI by employees, the assessment of risks presented by AI tools, the design of consumer-facing AI, the negotiation of AI-related contracts and the handling of AI-related regulatory inquiries and investigations.

Nick also devotes a portion of his practice to innovative client solutions and community engagement. He was part of the Orrick team that developed Orrick’s AI Resource Center, EU AI Act reference guide, U.S. AI Law Tracker and Gen AI Policy Builder. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs.

Nick has obtained the Certified Information Privacy Professional -/ United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals (IAPP).