Colorado Privacy Act (“CPA”)

Written by: Charles R. Langhorne IV, Esq. and Alyssa J. Feliciano, Esq.

CURRENT STATUS

The Bill passed and has been signed by the Governor.

EFFECTIVE DATE

July 1, 2023

TO WHOM DOES CPA APPLY?

The CPA applies if a business meets one the following circumstances:

Requirement 1:

    • Conducts business in Colorado; or
    • Produces commercial products or services that are intentionally targeted to Colorado residents.

Requirement 2:

    • Controls or process personal data of more than 100,000 consumers per calendar year; or
    • Derives revenue from the sale of personal data and controls or process the personal data of at least 25,000 consumers

RIGHTS OF COLORADO RESIDENTS

Colorado residents have the following rights:

    1. Right to access their personal data.
    2. Right to correct inaccuracies in personal data.
    3. Right to have their personal data deleted.
    4. Right to obtain a copy of their personal data.
    5. Right to opt-out of processing of their personal data for: (a) targeted advertising; (b) the sale of their personal data; or (c) profiling for future decision making.

PRIVACY POLICY REQUIREMENTS

Businesses subject to CPA must maintain a website privacy notice that contains the following information:

    1. The categories of personal data being processed;
    2. The purpose(s) for processing personal data;
    3. How and where Colorado residents may exercise their rights, including the controller’s contact information and how actions may be appealed;
    4. The categories of personal data shared with third parties; and
    5. The categories of third parties with which personal data is shared.
    6. It shall be clearly and conspicuously disclosed if personal data is sold to third parties or processed for targeted advertising, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

TARGETED ADVERTISING

The CPA provides Colorado residents the right to opt-out of the processing of their personal data for “targeted advertising.”  The process for opting out must be a clear and conspicuous notice informing Colorado residents about the choices available to them.

SALE OF PERSONAL DATA

The CPA provides Colorado residents the right to opt-out of allowing the business to “sell” their personal data. “Sell” means the exchange of personal data for monetary consideration. Businesses need to implement a method for Colorado residents to easily opt-out of the sale of their personal information.

“UNIVERSAL” OPT-OUT

Must include a universal opt-out mechanisms that allows a consumer’s to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

DATA PROTECTION ASSESSMENTS

The CPA requires that businesses conduct a data protection assessment prior to conducting any of the following processing activities:

    • The processing of personal data for purposes of targeted advertising;
    • The sale of personal data;
    • The processing of personal data for purposes of profiling;
    • The processing of sensitive data; and
    • Any processing activities involving personal data that present a heightened risk of harm to Colorado residents.

DATA PROCESSORS

The CPA requires data controllers to enter into a written data processing agreement with its subcontractors that process personal data.

VIOLATIONS & ENFORCEMENT

The CPA does not provide a private right of action.

Purported violations are investigated by the Colorado Attorney General or District Attorney. There is a 60-day cure period, starting from the time the business receives notice of a violation from the Attorney General or District Attorney, for a business to remedy any violations before the Attorney General or District Attorney will begin enforcement.

CPA VS. GENERAL DATA PROTECTION REGULATION (“GDPR”)

The CPA is not as burdensome as GDPR but contains many similarities.

CPA VS. CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”)

The CPA is very similar to the CCPA. However, there are a few key differences.

CPA does not apply to personal data collected from employees to be used for employment/human resources purposes. CCPA has an employment data exemption, but it is not absolute as in the CPA.

The CPA includes a data minimization requirement that CCPA does not.

B2B Exception – Personal data of individuals acting in their business capacity is exempted from the CPA requirements. CCPA’s B2B exception expired on January 1, 2021. CCPA’s successor legislation, the California Privacy Rights Act has a similar exemption, but it expires on January 1, 2023.

EXCEPTIONS

The CPA does not apply to data that is subject to the following laws:

    • Health Insurance Portability and Accountability Act
    • Gramm-Leach-Bliley Act
    • Family Educational Rights and Privacy Act
    • Fair Credit Reporting Act
    • Driver’s Privacy Protection Act Of 1994
    • Children’s Online Privacy Protection Act Of 1998

Leave a comment