How to Comply With Colorado’s New Privacy Law

For all the state data privacy bills that get drafted, a shockingly low amount have actually been passed into law. California and Virginia have been the only two states with privacy legislation one could call “comprehensive” – until now.

Enter Colorado. Now that Governor Jared Polis has signed the bill, the Colorado Privacy Act (CPA) will go into effect on July 1, 2023. While the law is nothing drastically different from what we’ve seen so far, experts have pointed out some unique elements that might just put Colorado at the “forefront of consumer privacy.” Here’s how to comply with Colorado’s new privacy law.

Applicability

The law applies to any legal entities that conduct business or provide products or services intentionally targeted to Colorado residents that control or process the personal data of over 100,000 consumers annually. That threshold falls to 25,000 consumers if the business makes money by selling personal data.

Certain protected health, credit, employment or patient-identifying information is exempt, as is de-identified or publicly-available data. Unlike the California Consumer Privacy Act (CCPA), financial institutions subject to the Gramm-Leach-Bliley Act are fully exempt. As usual, “personal data” is defined as information that is “linked or reasonably linkable to an identified or identifiable individual.”

The law must not restrict an entity’s ability to comply with other laws, cooperate with legal or law enforcement inquiries, conduct product improvement research, protect consumer interests, deal with malicious or illegal activity or complete a transaction requested by the consumer.

However, when processing data pursuant to one of these exceptions, the controller must process for no other purpose and only to the extent that is necessary for that purpose. They must be able to prove that such data activity falls under one of these exceptions.

Consumer Rights

The law will establish a handful of data privacy rights for individuals in Colorado.

First of all, consumers have the right to confirm whether a controller is processing their data and the right to access that data. They also have the right to data portability–the data must be given to them in a portable, readily usable format that they can transmit to another entity for their own purposes. However, the controller is only obligated to fulfill two such requests per year for free.

If the data is inaccurate, the consumer has the right to correct it. Consumers also have the right to delete their personal data.

Consumers have the right to opt-out of any data processing activity done for the purposes of sale, targeted advertising or profiling in furtherance of decisions that impact the consumer in question. The controller must provide two clear and conspicuous methods through which consumers can submit an opt-out request: one in the privacy notice and another outside of it.

The law will allow consumers to authorize another individual or entity to submit an opt-out request on their behalf. In such a case, controllers must authenticate the request and ensure that the consumer has given the agent the authority to act on their behalf.

A caveat for consumers is that controllers are allowed to seek the consent of the consumer for data activity involving sale or targeted advertising. If given, this consent will override any opt-out request. However, the consumer shall be able to revoke the consent as easily as it was given.

Consumers must be able to exercise these rights in a way that is secure, reliable and consistent with the way they typically interact with the controller. The controller must be able to authenticate the request, but they may not require consumers to create an account to submit a request. However, they may require them to use an existing account.

Upon receiving a request, controllers have 45 days – or 90, if necessary – to respond. If extending the period, the controller must inform the consumer of the reasons for the delay within 45 days of the initial request. If denying a request, the controller must explain why and give the consumer a clear means to appeal the decision. If the appeal is denied, the controller must clearly inform the consumer of their ability to contact the attorney general.

Consumers may not be discriminated against solely on the basis of exercising their rights. This means controllers may not increase the price or decrease the availability of a product or service unless the consumer’s action alters the feasibility or value of a service. However, controllers may offer lower prices, higher quality, or better selections to consumers who voluntarily participate in a loyalty, rewards or discount program.

Notably, the law does not include a private right to action for consumers seeking damages in the case of a violation.

Controller Duties

For the sake of transparency, controllers must provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must include the controller’s contact information, the categories of personal data collected and processed and the purposes for the processing of each category. It must inform consumers of how they can exercise their privacy rights, including their right to appeal a controller’s decision regarding a request.

The notice must also include the categories of data shared with third-parties and the categories of third-parties the data is shared with. If the data is sold or used for targeted advertising, the controller must disclose this as well as informing consumers of how they can opt-out of the activity.

Additionally, the controller must specify the purposes for any data activity and minimize the data processing to what is necessary for the fulfillment of these purposes, unless they obtain the consumer’s consent. The controller must obtain the consumer’s consent before collecting data from a known child, or collecting sensitive data, which includes identifiable biometric or genetic information and data related to:

• Racial or ethnic origin

• Religious beliefs

• Mental or physical health conditions

• Sex life or sexual orientation

• Citizenship status

The law includes obligations for processors as well. Primarily, processors must follow the instructions of the controller and actively cooperate with and assist the controller in their efforts to comply with the regulations. Processors and controllers must enter into a contract outlining the type, nature, purpose and duration of data processing. This contract must include the following requirements:

• The processor must delete or return all personal data to the controller upon request

• The processor must make all information necessary to comply with CPA available to the controller

• The processor must comply with all reasonable audits and inspections by the controller or hire a qualified independent auditor at least annually, providing a report of the audit to the controller upon request

Security Measures

The law includes the duty of controllers to take “reasonable measures to secure personal data during both storage and use from unlawful acquisition.”

More specifically, for any processing activity that presents a “heightened risk of harm” to the consumer, the controller must conduct and document a data protection assessment. Such activities include sale, processing sensitive data, and certain uses for targeted advertising or profiling that put the consumer at risk of physical or financial harm, unfair treatment or invasion of privacy.

Such assessments must compare the benefits of the activity to the controller or consumer with the potential risk to consumer rights, touching on whatever safeguards are in place to minimize risk. These assessments must be made available to the attorney general upon request.

Enforcement

Enforcement authority falls exclusively on the attorney general and district attorneys. They must issue a notice of violation to the controller, giving 60 days to cure the violation. Penalties can be up to $20,000 per violation per consumer, with a maximum of $500,000 for a related series of violations.

The law is passed, but there are still some details to iron out. For example, the attorney general is yet to create rules for the technical specifications for opt-out mechanisms as well as a potential operational framework for the controller.