In our blog post discussing Virginia's Consumer Data Protection Act ("VCDPA"), we anticipated that more states would adopt their own omnibus data privacy laws - and Colorado is the latest state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act ("CPA"), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.
The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:
- Right to opt out
- Right of access
- Right to correction
- Right to deletion
- Right to data portability
That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Who must comply
The Colorado law applies to "controllers" (a person that, alone or jointly with others, determines the purposes for and means of processing personal data) that conduct business in Colorado or provide commercial products or services intentionally targeted to Colorado residents that:
- Control or process the personal data of 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on price of goods or services from selling personal data and processes or controls the personal data of 25,000 consumers or more.
Notably, the CPA omits a gross revenue threshold distinguishing the new law from California's law which requires a $25 million gross revenue requirement for covered businesses under the Act.
Special Opt Out / Opt-In Rights
As stated above, the CPA empowers consumers by granting a right to opt out of some processing of their personal data. This right appears to be the broadest among the three states. Within this right, Colorado residents may opt out of the:
- Sale of their personal data ("sale" has a broad definition under the CPA and includes the exchange of personal data for monetary or other valuable consideration);
- Targeted advertising; and
- Profiling.
These special opt out rights require companies to "clearly and conspicuously" post how consumers can opt out in a "readily accessible location outside the privacy notice." Companies must also provide Colorado consumers with the ability to opt out of the sale of their personal data or its use for targeted advertising through a "user-selected universal opt out mechanism" by July 1, 2024. What this likely means is that companies will need to provide consumers with a single button to exercise all three opt out rights listed above. The Colorado Attorney General will establish the specifications for this new requirement. To date, no other details about the universal opt out mechanism have been provided.
In addition to creating opt out rights, the CPA imposes a strict consent standard (i.e., opt-in requirement) similar to the European Union's (EU) General Data Protection Regulation (the "GDPR"), the VCDPA, and the California Privacy Rights Act for secondary uses of personal data and the processing of sensitive data. Under the CPA, "sensitive data" includes:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
- Personal data from a known child.
Thus, a business must be aware of the data it collects and the purpose for such collection to determine whether consent must be given by Colorado consumers before collecting sensitive data. Under the CPA, consent must be "a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." Consent may be obtained through a written statement or affirmative act, via electronic or other means.
Enforcement of Consumer Rights
The CPA does not provide consumers a private right of action against a company that violates the CPA. Rather, the CPA vests enforcement authority with Colorado's Attorney General and, notably, district attorneys. Companies found in violation of the CPA may face civil penalties for a deceptive trade practice ranging from $2,000 to $500,000.
Unique Opportunity to Cure
While the Act imposes penalties for non-compliance, the CPA provides a fairly generous 60-day period in which a violation may be cured after notice is given by the enforcing Attorney General or district attorney, but only "if a cure is deemed possible." By comparison, the California Consumer Privacy Act (the "CCPA") and VCDPA allow for only 30 days to cure a violation after notice by the Attorney General is received. The CPA's cure period will be in effect until January 1, 2025.
CPA Obligations
Under the CPA, companies now have an affirmative obligation to protect the personal information they collect and must comply with numerous provisions of the CPA governing the processing and storage of consumer data. Additionally, companies must clearly communicate to consumers how their collected personal information is being used by the company to allow consumers to make informed decisions when exercising their newly minted rights under the CPA.
Like the CCPA and VCDPA, the Colorado law requires companies to:
- Implement technical and organizational safeguards;
- Conduct written data assessments, which must be made available to the Colorado Attorney General upon request; and
- Execute Data Processing Agreements ("DPAs") that specify the roles and responsibilities of entities collecting, selling, storing, disclosing, analyzing, deleting, or modifying personal data on your company's behalf.
Unlike the EU, the U.S. does not have a GDPR-equivalent privacy law at the federal level-prompting individual states to enact their own data protection regulations. As more states continue to adopt privacy laws, there may be a push for a federal U.S. privacy law. Until then, businesses would be wise to familiarize themselves with the data protection laws in California, Colorado, and Virginia, as these laws will likely provide the statutory framework for the adoption of similar laws across the country.
Strategizing now about how your company will achieve and maintain compliance under these various privacy laws is more critical than ever. As the privacy landscape continues to change, Taft's Privacy and Data Security Practice stands ready to assist your business as you evaluate the requirements and also strategic opportunities that these laws provide.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
