Issue in Brief: Colorado is the third state to pass comprehensive consumer privacy legislation—the second in 2021—following the Virginia Consumer Data Protection Act (CDPA), which was signed into law earlier this year, and the California Consumer Privacy Act (CCPA), which passed in 2018.

On the Horizon: The Colorado Privacy Act largely tracks the prior state consumer privacy laws, requiring covered businesses to observe transparency requirements, honor consumer requests, and implement security controls to protect personal data. As a slight divergence, however, the CPA requires covered business to observe stricter consent requirements, implement “single-click” opt-out requests and readily-available appeals processes associated with consumer requests, and conduct—in certain instances—data protection impact assessments.

Key Takeaways: The CPA comes into effect on July 1, 2023, along with implementing regulations that the Colorado attorney general is required to develop. Businesses covered by the CPA should begin aligning their privacy programs and practices with the CPA, including the development of the more unique aspects of the law like the “single-click” opt-out mechanism and the readily-available appeals process.

CPA Scope & Key Definitions

On July 7, 2021 Colorado Governor Jared Polis signed the CPA into law, which is set to take effect on July 1, 2023.

The CPA largely tracks the prior state privacy legislation, the CCPA and the CDPA, but also borrows elements from Europe's General Data Protection Regulation (GDPR). Similar obligations include transparency requirements, honoring consumer requests, observance of data minimization principles, implementing data security efforts, and adhering to vendor management requirements.

In addition to the commonly shared obligations with the CCPA and CDPA, such as transparency requirements and a short list of explicit consumer rights, the CPA has some unique and nuanced differences in scope, including:

Covered Businesses. Companies engaged in business in Colorado that either (1) process the personal data of 100,000 consumers or (2) process the personal data of 25,000 consumers and receive any revenue or discount from the sale of personal data must comply with the CPA. Unlike the CCPA, Colorado's framework has no revenue threshold that subjects a company to the CPA.

Consumer. A consumer is a Colorado resident acting in an individual or household context and, like the CDPA, explicitly excludes those persons acting in a commercial or employee context.

Consent.  A significant deviation from other consumer privacy legislation, the CPA requires that consent be in the form of a “clear affirmative act signifying a  consumer's freely given, specific, informed, and unambiguous agreement,” which aligns more closely with the GDPR and has proven to be a hurdle for companies.

Novel CPA Requirements & Obligations

Similarly, the CPA also creates unique (for US state consumer privacy) requirements, including: 

Data Protection Assessment. The CPA requires businesses to conduct data protection assessments in cases of processing that present a “heightened risk of harm” to consumers. Certain categories include processing that involves targeted advertising where profiling can lead to unfair treatment of, or financial injury to, consumers, as well as the sale of personal data and any processing of sensitive data.

Single-Click Universal Opt-Out Procedure.  Consumers will have the right to opt-out of processing of their personal data for purposes of targeted advertising, the sale of personal data, and consumer profiling. The CPA is unique here in that it mandates businesses to provide a universal opt-out option, such as a one-click button, to exercise all opt-out rights simultaneously. The attorney general's office has until the July 1, 2023, to establish technical regulations regarding the universal opt-out requirement.

Right to Appeal.  Under the CPA, a business must provide consumers with a conspicuously available and convenient-to-use appeal process in connection with the exercise of applicable consumer rights. If an appeal is denied, the business must inform the consumer of their ability to contact the attorney general to submit a complaint.

Entity & Data Category Exemptions

The CPA includes certain exemptions, either by entity or by data set:

Exempt Entities.  Principally, the CPA exempts financial institutions subject to the Gramm-Leach-Bliley Act.

Exempt Data Categories.  The CPA further excludes protected health information and de-identified information under HIPAA information, data collected through certain activities of consumer reporting agencies, and data maintained for employment purposes, as well as data regulated by other laws, such as the Children's Online Privacy Protection Act (COPPA)

CPA Enforcement & Penalties
A violation of the CPA constitutes a deceptive trade practice, and noncompliant businesses can be fined up to $20,000 per violation, with no cap on the overall fine amount. The CPA, however, does not provide for a private right of action. Rather, it is enforced by the attorney general or a district attorney.
Upon an enforcement action, the relevant office must provide notice to the business, after which time the business will have 60 days to cure the violation. This provision, though, is set to expire January 1, 2025, after which businesses in violation of the CPA will not have an automatic right to cure before a proceeding commences. 

Next Steps
Businesses complying with the CPA as a first instance or even businesses already subject to other privacy frameworks but need to update its program to comply with the CPA, critical steps should include:

  • Data Mapping and Inventory Practices.  Identifying the personal data a business collects is a critical and important step to compliance. This often includes identification of data elements, the purpose of the collection, storage locations, retention periods, and access rights to the data, including transfers to third parties.
  • Developing Formal Processes and Procedures.  Such procedures and processes include timely observing consumer requests, ensuring defensible collection of consumer consent where necessary, implementing data protection impact assessment processes, establishing the newly created appeals process, protecting personal data, and—as necessary—establishing a universal opt-out mechanism.
  • Creating a Third-Party Management Program.   This process involves diligence around contracting requirements for third parties that a business may use to process personal data, as well as tracking the sale or transfer of personal data to third parties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.