Colorado Enacts Privacy Act, Becoming Third State with Comprehensive Privacy Law
Colorado Governor Jared Polis signed the Colorado Privacy Act (the “CPA”) into law on July 8, 2021, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law to protect its residents. The CPA will go into effect on July 1, 2023.
The CPA will apply to legal entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either (1) control or process the personal data of 100,000 or more consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. There is no applicable revenue threshold. “Consumers” are defined in the CPA to include Colorado residents acting in their individual or household contexts. The CPA excludes individuals acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in an employment context from its definition of “consumer.” “Personal data” under the CPA is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA’s requirements will not extend to de-identified data or publicly available information.
To comply with the CPA, businesses will need to provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a heightened risk of harm to consumers. The CPA does not offer much guidance as to what may or may not qualify as a “heightened risk of harm,” but the Colorado Attorney General could promulgate clarifying rules before the CPA goes into effect.
The rights afforded to consumers under the CPA include the right to opt out of the processing of personal data for targeted advertising or for the sale of such personal data. The CPA provides for a “user-selected universal opt-out mechanism,” which covered entities may implement once the CPA goes into effect; however, beginning July 1, 2024, the universal opt-out mechanism will be mandatory. The CPA lacks clear guidance regarding the expectations for the opt-out mechanism, but the Colorado Attorney General will promulgate rules detailing the requisite technical specifications by July 1, 2023. The user-friendly mechanism must allow consumers to freely and unambiguously choose to opt out of the personal data processing. A mere default setting will be insufficient.
In addition to the opt-out right, consumers will be afforded the right to access certain personal data—and to obtain it in a portable, readily usable format—and with the rights to correct inaccuracies and to delete personal data concerning them. Once a consumer submits a request to access, correct, delete, or provide personal data, the receiving entity must respond to the consumer’s request within 45 days of receiving it. Consumers will have the right to appeal an entity’s decision.
Colorado is the second state in 2021 to pass comprehensive data privacy legislation, after Virginia passed the Virginia Consumer Data Protection Act (“CDPA”) earlier this year. California also recently passed a new data privacy law by ballot initiative, the California Privacy Rights Act (“CPRA”), which will expand the scope of protections currently afforded to California residents by the California Consumer Privacy Act of 2018.
A Comparison of the New Data Privacy Laws in Colorado, Virginia, and California
In many ways, the CPA is similar to the Virginia CDPA, but there are distinctions among all three privacy laws that anyone conducting business in all three states should be aware of.
- California and Virginia’s Acts will take effect on January 1, 2023.
- The CPA will take effect on July 1, 2023.
- Like Virginia’s Act, the CPA does not provide for a private right of action. The Attorney General and district attorneys will have exclusive authority to enforce the CPA.
- California’s Act, however, does provide a private right of action, and the CPRA creates a new state agency, the California Privacy Protection Agency, to enforce the Act.
- All three Acts will apply to businesses that control or process the personal data of 100,000 or more consumers per year.
- The CPA will also apply to businesses that control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. In slight contrast, Virginia’s Act will apply to businesses that control or process the personal data of 25,000 or more residents and derive more than 50 percent of their gross revenue from the sale of personal data.
- California’s Act will also apply to businesses that have an annual gross revenue exceeding $25 million or that derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information.
- * Note that all three Acts provide exemptions for certain businesses that are already regulated under other federal laws.
- All three Acts provide similar consumer rights, including special protections for “sensitive” personal information like race, religion, sexual orientation, etc. Virginia and Colorado’s Acts require covered entities to obtain a consumer’s consent before processing sensitive personal information. This “opt-in” provision is not included in California’s law.
- The CPA’s mandatory “user-selected universal opt-out mechanism” is not required by either the California Act or the Virginia Act.
- Businesses covered by the new data privacy laws should:
- Implement cybersecurity safeguards;
- Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision;
- Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data;
- Establish a user-selected universal opt-out mechanism by July 1, 2024;
- Update their contracts with third parties to ensure that they comply with the laws;
- Obtain consumers’ informed consent before collecting sensitive data; and
- Establish a procedure to determine when to conduct a data protection assessment.
Although the CPA and the other new data privacy laws do not go into effect for some time, it is never too early to start assessing your company’s data privacy obligations and begin working toward compliance. Koley Jessen will continue to monitor developments related to the new laws and advise as updates become available. If you have questions on whether your business needs to comply with the new data privacy laws and what steps you must take to comply with the new laws, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.
Special thanks to Kayla Sullivan, Koley Jessen Summer Associate, for her contributions to this article.