Colorado Privacy Act (CPA)

On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Colorado’s Consumer Protection Act and goes into effect July 1, 2023.

The CPA grants Colorado Consumers new rights with respect to their personal data, including the right to access, delete, and correct their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling. The CPA also places new obligations on covered entities to safeguard personal data, including the requirement to give Coloradans meaningful information about the collection and use of their data, to conduct data protection assessments, and to obtain consent before processing certain sensitive personal data.

The proposed draft rules for the CPA were published by the Secretary of State on Oct. 10, 2022, and the final rules were filed with the Secretary of State March 15, 2023. These include the required rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data (6-1-1313(2), C.R.S.). The final CPA rules, filed with the Colorado Secretary of State, can be found here.

The text of the Colorado Privacy Act (Senate Bill 21-190) is available here.

On July 12, 2023, Attorney General Weiser announced the launch of enforcement of the CPA. As part of that enforcement effort, the Department began mailing letters to businesses focused on educating them about the law and their new legal obligations. You can read examples of those letters here:

FREQUENTLY ASKED QUESTIONS & GENERAL INFORMATION

What does the CPA protect?

The CPA protects the personal data of Colorado residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program. The CPA does not cover the personal data of individuals acting in a commercial or employment context, such as a job applicant

When do the new laws take effect?

To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.

How does the CPA protect Colorado consumers?

Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:

The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
The right to know whether a controller is collecting personal data;
The right to access personal data that a controller has collected about them;
The right to correct personal data;
The right to delete personal data; and
The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

What does it mean to process data?

Data processing refers to actions a company make take regarding personal data, including the collection, usage, sale, storage, disclosure, analysis, deletion, or modification of personal data. An entity “processes” data even if it instructs another entity to process data on its behalf.

What is the difference between controllers and processors?

A controller determines the purpose for and means of collecting and processing personal data. For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the CPA, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

WHAT CONSUMERS AND ENTITIES SHOULD KNOW

How do Colorado Consumers exercise their rights under the CPA?

How do Colorado consumers exercise their rights under the CPA?

When the CPA goes into effect in July of 2023, consumers will be able to learn how to exercise their rights on businesses’ websites. Businesses and other organizations controlling data, also called controllers, will be obligated to provide consumers with a privacy notice that includes the types of personal data collected or processed, the purpose for which that personal data is processed, the type of data that is shared with third parties and the categories of third parties it is shared with, and how people can access, correct, delete, and download and transmit their personal data. Additionally, those businesses and organizations will have to provide clear and conspicuous disclosure if any personal data is sold or processed for targeted advertising and how people can to opt out of having their data sold or processed. Consumers will be able to opt-out through businesses' privacy notices as well as through a readily accessible location outside the privacy notice. Additionally, consumers will be able to opt out through a universal opt-out option which will apply to all businesses subject to the CPA.

Before the CPA goes into effect, the Colorado Attorney General’s Office will create and provide rules with input from consumers and other stakeholders setting forth additional details regarding the steps controllers must take to ensure that consumers can effectively exercise their rights, including details relating to the universal opt-out mechanism.

Is consent required to process personal data under the CPA?

Only in specific circumstances. The CPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.

What's the difference between personal data and sensitive data?

Personal data is any non-public information that reasonably can be linked to an individual. Sensitive data is a subset of personal data and includes:

Any personal data regarding a child under the age of 13;
Any data that reveals the race, ethnic origin, or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and
Biometric data that is used for identifying an individual.

HOW BUSINESSES, NONPROFITS, AND OTHER ENTITIES WILL BE IMPACTED

Who must comply with the CPA?

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

Process the personal data of more than 100,000 individuals in any calendar year; or
Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.

What is excluded from the CPA?

The CPA excludes some types of entities from complying with its requirements. These entities include:

Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
Air carriers subject to Federal Aviation Administration regulation; and
National securities associations registered under the Securities Exchange Act.

The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. For a complete list see §6-1-1304 of the CPA.

What obligations do data controllers have under this new law?

Under the law, controllers MUST:

Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
Use reasonable security practices to secure the data;
Respond to requests by individuals asserting the rights granted to them under the law; and
Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
- unfair, deceptive or disparate treatment of individuals;
- financial or physical injury to individuals;
- a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
- some other substantial injury.

Under the law, controllers MAY NOT:

Collect, store, use, share or sell “sensitive data” without an individual’s consent.
Use personal data in any way that would result in unlawful discrimination.

HOW THE CPA WILL BE ENFORCED

What is the Attorney General's role in enforcing this law?

The Attorney General’s Office and District Attorneys have sole enforcement power under the CPA. The Attorney General’s Office also has rulemaking authority under the law.

Can individuals that have had their data mishandled sue directly under the CPA?

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the CPA. Only the Attorney General and District Attorneys can enforce the CPA.

Are companies provided notice of a violation before enforcement action is taken?

If the Attorney General or District Attorney determines that a violation can be remedied, the Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. If either office determines that no fix is possible for the violation, no such letter is required. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025.

What are the penalties the government can impose if a company is found in violation of the CPA?

Will the Attorney General provide any guidance on how to comply with the CPA?

Yes. The Attorney General will create rules both for the purpose of carrying out the CPA and to detail the technical specifications of one or more universal opt-out options. The Attorney General plans on adopting those rules before July 1, 2023.

The Attorney General’s Office will engage with Colorado consumers, businesses, and other stakeholders related to the CPA and potential rulemaking considerations. In early 2022, the Attorney General’s Office will post a series of topics for informal input on its website and solicit responses in writing and at scheduled events. This will help the office engage in a more focused dialogue, consider diverse perspectives, and address issues. By the fall of 2022, the Attorney General’s Office plans to post a formal Notice of Proposed Rulemaking, which will include a proposed set of model rules. This will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado. If you would like to follow the CPA rulemaking process, you may sign up to receive additional information and updates here.