The Colorado Privacy Act (CPA), currently set to take effect July 1, 2023, provides important privacy protections for Colorado residents and requires certain businesses, called “controllers,” conducting business in Colorado or intentionally targeting Colorado residents, to implement these protections. Colorado joins several other states, including California, Virginia, Utah, and Connecticut, in implementing comprehensive data privacy protections for its residents. Several other state-based privacy bills are also making their way through the committee process. The fragmented approach to data privacy seen today results from Congressional inaction in implementing comprehensive federal data privacy legislation. Although many factors exist for the inactivity toward federal implementation, two important factors predominate. One is disagreement over whether federal legislation would preempt and invalidate state data privacy laws like the CPA. The other factor is the availability of a private right of action to enforce violations of the proposed statute. The CPA contains no private right of action. This means a private individual or entity cannot sue a business for violating the CPA. This leaves enforcement authority to the Colorado Attorney General and district attorneys, who can pursue injunctive relief to stop the business from acting or behaving in a way that violates the CPA or obtain monetary damages for violations. Below is a general overview of controllers’ responsibilities before the CPA comes into effect this summer. To better understand the requirements for individual controllers, entities subject to the Act’s requirement, such as businesses and non-profits, should consult with an attorney familiar with the Act and the unique data environment particular to that entity.
Who are “Controllers” Under the Colorado Privacy Act?
Colorado is taking an iterative approach toward implementing the CPA and is currently on the third version of its proposed draft rules. Although it can be assumed that the rules will closely match those already suggested, the specifics regarding definitions and requirements are subject to change. Thus far, the consistency in all versions is the definition of “controller” and how the Act applies to this discreet group. The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents and either:
(1) control or process the personal data of 100,000 or more consumers during a calendar year, or
(2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more consumers.
The law defines “consumers” as Colorado residents acting in an individual or household context. It does not include Colorado residents acting in a commercial or employment context.
Notably, the law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies, such as cloud service providers. Just as important are which entities are excluded from the Act. The CPA excludes some types of entities from complying with its requirements, even when they meet the controller definition under the Act. These include financial institutions and affiliates subject to the Gramm-Leach-Bliley Act, air carriers subject to Federal Aviation Administration regulations, and national securities associations registered under the Security Exchange Act. Personal data maintained in compliance with federal privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA), also do not need to comply with the CPA’s requirements.
Businesses subject to regulatory compliance with California’s Consumer Privacy Act (CCPA) will note that the CPA does not have a monetary threshold similar to the CCPA, which begins at $25 million in annual gross revenue.
What are the Requirements for Controllers Under the Act?
The requirements for controllers under the CPA are numerous. The current rulemaking version of the CPA stands at 47 pages, covering everything from transparency requirements in privacy notices to security requirements for the safe storage of consumer data. Generally, consumer data controllers are required to “be transparent about how they collect, store, use, share, and sell personal data, and clearly identify the purpose for which they do so.” Section 6.02, titled “Privacy Notice Principles,” states that principles controllers must apply to the privacy notices given to consumers, including providing them “with a meaningful understanding and accurate expectations of how their personal data will be processed.” Additionally, these privacy notices must be clearly visible and provide consumers with the categories of personal data the controller sells or shares with third parties if any. These third parties must also be described adequately enough that consumers have a meaningful understanding of what type of entity that third party is, i.e., analytics companies, data brokers, third-party advertisers, payment processors, government agencies, etc. Finally, material changes to privacy notices must also be communicated to consumers. While this section attempts to detail controllers’ responsibilities concerning privacy notices, it leaves out substantial portions for brevity. Controllers are urged to have their attorney review the current CPA version to prepare for the Act’s rollout in summer 2023.
The CPA also contains a Duty of Care section that controllers must abide by when processing personal data that “ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of personal data collected, stored, and processed [are in place].” The key under this section, at least when it comes to enforceability, is whether the security practices employed by the controller were reasonable. When determining reasonableness, controllers should consider things such as:
- Applicable industry standards
- Nature, size, and complexity of the controller’s organization
- Sensitivity and amount of personal data
- Risk of harm to consumers resulting from unauthorized access
- Burden or cost of safeguards to protect personal data from harm
In sum, reasonable safeguards must be designed to protect consumer data from unauthorized access or accidental loss, destruction, or damage.
Consent, described under Part 7 of the Draft Rules, provides important protections for Colorado consumers and equally important responsibilities for controllers. Under Rule 7.02, a controller must obtain valid consumer consent before processing a consumer’s sensitive data. Under the Act, sensitive data is defined as data used to indicate an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. When processing the data of a known child, valid consent must be obtained from a parent or lawful guardian. Valid consent is also required when selling a consumer’s data or processing it for targeted advertising after they exercised their opt-out rights. Additionally, valid consent is required for processing data for purposes not reasonably necessary or compatible with the original purpose communicated to the consumer.
The requirements for valid consent significantly differ from how many companies currently obtain consumer consent in the current data privacy environment. For example, under the CPA, consent must be obtained through deliberate and clear conduct on the part of the consumer. A blanket acceptance of general terms and conditions, silence, inactivity, or pre-ticked boxes do not constitute acceptance under the CPA. Whether consent is valid depends on many different factors. These factors include the consumer’s age, user interface design, the use of dark patterns, and the timing of the request. Controllers subject to consent requirements under the CPA need to evaluate their existing privacy and data practices and procedures and compare them to the emerging regulatory requirements under the CPA to ensure their compliance with these essential rules.
Under the CPA, the Attorney General may also request Data Protection Assessments. These are assessments a controller must undertake before processing data that presents a heightened risk of harm to consumers, such as the processing of consumer data for targeted advertising and the processing of sensitive personal data. The assessments must weigh the benefits to the controller of processing such data against the risks to the rights of consumers associated with the processing. Notably, the scope and level of detail associated with these assessments should be proportionate to the size of the controller and the amount and sensitivity of data processed. Part 8 of the CPA contains a descriptive list of elements that must be included in a Data Protection Assessment, along with its required scope, stakeholder involvement, and timing. Lastly, these requests must be made available to the Attorney General within 30 days of their request.
What are the Penalties if a Controller Violates the CPA?
As mentioned above, enforcement under the CPA is left to the Colorado Attorney General’s office and state district attorneys. Due to the CPA’s lack of private right of action, individual citizens whose rights under the CPA have been violated by controller conduct cannot pursue either monetary damages or an injunction. However, violators can still be subject to hefty fines. Under the Colorado Revised Statutes Section 6-1-112, the Colorado Attorney General or a district attorney may pursue a civil penalty of up to $20,000 for each violation of the CPA. The CPA also contains a cure provision. This gives the Colorado Attorney General or district attorney discretion to allow controllers violating the CPA to fix the violation. However, no such cure notice is required if the enforcement authority determines that no fix is possible. The cure provision is temporary and will end on January 1, 2025. Currently, specific rules the Colorado Attorney General and district attorneys will reference when carrying out enforcement actions under the CPA are being made public, with the Attorney General’s office planning on adopting the rules before the July 1, 2023 rollout.
The Colorado Privacy Act reflects the current fragmented approach to data privacy that will likely prevail in the United States for quite some time. Businesses operating in this environment must have increased awareness of the changing regulatory landscape. Knowledge of which states and countries controllers operate in, the type and amount of data they acquire, how that data is processed and used, and the security environment that data is kept in must be constantly evaluated to ensure compliance in each state or country. Regular audits and risk assessments by both internal stakeholders and external experts should be systematic. Controllers should be notified of any issues before they become actionable by enforcement authorities.
With the ever-changing privacy regulations and protections, it is essential to consult a knowledgeable attorney. The Data Privacy and Cybersecurity attorneys at Whitcomb Selinsky, PC, can help you with compliance questions before the CPA’s rollout this summer. We will review your current data and privacy practices and compare them to the CPA requirements to help prevent violations. As the access to personal data is more readily available, it is vital to ensure the data your business collects is secure.
We will update this blog to reflect ongoing Act rulemaking changes.