On July 7, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA or the Act), a far-reaching statute providing Colorado residents new rights to control the collection, use and disclosure of their personal information by businesses active in the state. In so doing, Governor Polis made Colorado the third US state, following California and Virginia, to mandate procedures that will give consumers more insight into and choices regarding processing of their personal information. Most provisions of the Act will take effect on July 1, 2023; others not until July 1, 2024. Depending on their current data privacy practices, businesses that will be subject to the CPA may need to take some significant steps within the next two years to be ready with procedures for compliance.

Many aspects of the CPA resemble provisions of the California Consumer Privacy Act (CCPA) and/or the California Privacy Rights Act (CPRA) adopted by ballot initiative last year, as well as provisions of Virginia's Consumer Data Protection Act (VCDPA) enacted in March of this year.1 And, like the VCDPA, the Act contains terms and reflects concepts used in the European Union's General Data Protection Regulation (GDPR). Colorado will likely be followed by other states in adopting legislation along the same lines, and although Congress will continue to consider proposals for an overarching federal law, it appears that at least in the near term, the states will be the innovators in this area.

Enforcement of the CPA will be by the state attorney general as well as district attorneys; the Act does not give consumers a private right of action. The attorney general also has broad rulemaking authority under the Act, and may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses. This guidance should prove helpful to businesses, as will the fact that the attorney general and district attorneys, at least until January 1, 2025, must issue a notice of violation prior to commencing an enforcement action and allow the respondent 60 days to cure.

Who is Subject to the CPA?

Like the GDPR and the VCDPA, the CPA applies to "controllers" and "processors" of "personal data," controllers being those who determine what data to collect and what should be done with it; and processors being those who process personal data on a controller's behalf. These terms roughly correspond to the CCPA's definitions of "businesses" and "service providers."

All processors of regulated controllers are subject to the CPA, regardless of their size, location or other characteristics. The controllers that are regulated under the Act are those that (1) either conduct business in Colorado or (2) produce or deliver commercial products or services that are intentionally targeted to Colorado residents (Consumers) and either (A) control or process the personal data of at least 100,000 Consumers during a calendar year, or (B) control or process the personal data of at least 25,000 Consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.

A "Consumer" is a Colorado resident, but only in the context of their role as an individual or household, where they are not acting on behalf of any organization or as an employee of an organization. Thus, an individual representing a company in a business-to-business context, or an individual employed by or seeking a job from a company, is not a Consumer whose personal information would be considered in calculating the number of Consumers whose personal information the company is processing for purposes of determining the CPA's application to that company.

This scope of application tracks closely but is in one respect broader than that of the VCDPA, which, with respect to entities that control or process personal data of at least 25,000 Consumers, covers only those that derive more than 50% of gross revenue from the sale of personal data. The CPA's scope is also similar to that of the CCPA, but is narrower in that the CCPA (subject to statutory exemptions) applies to businesses with annual revenues above $25,000,000, regardless of the number of Consumers whose personal data is processed.  Also, while the CCPA and the VCDPA both exempt non-profit companies from their scope, the CPA does not.

What Information Is Covered?

The CPA protects privacy interests in "personal data," which (as under the VDCPA and much like the CCPA and GDPR) is information "linked or reasonably linkable to an identified or identifiable individual," excluding de-identified data and publicly available information.

"De-identified data" under the CPA means "data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual," if the controller possessing the data: (1) takes reasonable measures to prevent the data from being capable of association with an individual, (2) publicly commits to maintain and use the data only in de-identified form and to not attempt to re-identify the data, and (3) contractually obligates any recipients of the information to take such measures and make such commitments. In effect, the CPA thereby imposes legal obligations on recipients of de-identified data, regardless of whether they are controllers or processors subject to the CPA.

"Publicly available information" is information "lawfully made available from federal, state or local government records and information that a controller has a reasonable basis to believe the [C]onsumer has lawfully made available to the general public."  This definition, similar to that in the VDCPA, is notably broader than the CCPA's, which does not cover information relating to a consumer that the consumer has themselves placed in the public domain, such as in an open Facebook profile or on LinkedIn.

What Exemptions Apply?

Like the CCPA and the VCDPA, the CPA has a number of exemptions that materially limit its scope. Most of these exemptions are for individually identifiable information protected under other privacy laws, such as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), nonpublic personal financial information under Title V of the Gramm-Leach-Bliley Act (GLBA), consumer report information under the federal Fair Credit Reporting Act, children's data collected in compliance with the Children's Online Privacy Protection Act (COPPA), and personal data protected by the Family Educational Rights and Privacy Act (FERPA). Notably, the CPA expressly exempts not only personal information protected under the GLBA, but also, "a financial institution or an affiliate of a financial institution as defined by and that is subject to" the GLBA, suggesting that any personal information processed by such a financial institution or affiliate thereof is exempt.

What Obligations Does the CPA Impose?

The CPA sets forth a series of obligations on controllers with respect to their processing of personal data, including:

  1. Data minimization (limiting their collection of personal data to that which is "adequate, relevant, and limited to what is reasonably necessary" for the relevant purposes).
  2. Purpose specification (specifying the "express purposes for which personal data are collected and processed").
  3. Secondary use (not processing personal data for purposes "not reasonably necessary to or compatible with the specified purposes for which the personal data are processed" unless the Consumer has consented to such processing).
  4. Transparency (providing Consumers with a "reasonably accessible, clear, and meaningful privacy notice" that includes, among other things, the categories of collected data, how [C]onsumers may exercise their rights, and the categories of personal data that the controller shares with third parties).
  5. Care (taking "reasonable measures to secure personal data during both storage and use from unauthorized acquisition").
  6. Non-discrimination (not processing personal data in violation of laws that "prohibit unlawful discrimination against [C]onsumers").

A controller may not share personal information with a processor until it has executed a contract with the processor that includes (i) instructions governing the nature and purpose of the processing to be performed; (ii) the type of personal data to be processed and the duration of the processing; (iii) the processing obligations listed as (1)-(6) above; (iv) requirements for return or destruction of the personal data upon completion of the processor's services; (v) obligations for the processor to assist the controller in responding to Consumer requests and otherwise complying with the CPA; and (vi) mandates for the processor to undergo audits and inspections to confirm its compliance with the CPA's standards.

With respect to "sensitive data," the Act prohibits any processing without first obtaining the consent of the Consumer to whom the data pertains (or, when processing personal data concerning a known child, consent from the child's parent or legal guardian). Such consent must be clear, informed and unambiguous. "Sensitive data" is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed to identify an individual, and any personal data of a known child.           

In addition, as under the VCDPA, controllers must perform data protection assessments for processing activities that present "a heightened risk of harm to a [C]onsumer." Activities that present such a risk include, among other things, selling personal data, processing sensitive data, and processing personal data for purposes of targeted advertising or for profiling that presents a "reasonably foreseeable risk" of unfair or deceptive treatment of, or disparate impact on, "intrusion upon the solitude or seclusion, or the private affairs or concerns, of [C]onsumers if the intrusion would be offensive to a reasonable person." Data protection assessments must balance the benefits from processing to the controller against the potential risks to the rights of the Consumer associated with such processing and must be made available to the attorney general upon request.

What Rights Can Consumers Exercise Under the CPA?

As do the CCPA, GDPR and VCDPA, the CPA grants Consumers a number of rights with respect to their data, including the right to access their personal data and to have the data corrected, deleted, and/or provided in a portable format for transmission to others. And, also like the CCPA and VCDPA, the CPA gives Consumers the right to opt out of selling of their personal data or the use of their data for targeted advertising or profiling.           

The Act provides that on July 1, 2024, controllers that process personal data for the purposes of targeted advertising or the sale of personal data must provide a "universal opt-out mechanism" with which Consumers may opt-out. The attorney general must also adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a Consumer's unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

What Does the CPA Portend?           

As indicated by the actions of California, Virginia and Colorado, as well as the legislatures in a number of other states including New York and Washington, consumer privacy is a growing concern for legislators and their constituents. Privacy regulation is expanding in scope and detail and this trend is much more likely to accelerate than to abate. Companies that have needs to process personal information beyond that of their employees or representatives of their business partners or vendors should be considering the full scope of those needs and what the legislative trends indicate about the future ability to fulfill them. Is now a time to advocate for or against other states' adoption of laws similar to the CPA? Can a push be made for Congress to step up sooner than later at least to set guideposts for processing of personal information that has social benefits? What practical steps toward compliance with the existing state laws should be taken now, well ahead of applicable compliance deadlines? By examining these questions and considering how business models and industries might need to adapt in response to future legislative developments like the CPA, organizations will be better prepared to navigate a privacy regulatory landscape that continues to grow increasingly more complex. 

Footnote

1. See Arnold &Porter advisories on the CPRA and VCDPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.