On July 7, 2021, Colorado’s governor signed into law the Colorado Privacy Act (CPA), which follows similar privacy laws enacted in California and Virginia and is consistent with an expanding national trend. The effective date for the CPA is July 1, 2023, subject to a 60-day cure period through 2024. 

Kramer Levin developed the following checklist to help your business better understand:

  • Whether the CPA applies to your business
  • What consumer rights it creates, and how they compare to the California and Virginia laws
  • How to respond to consumers exercising those rights
  • Best practices to ensure compliance

For companies that have already taken steps to comply with the California and Virginia privacy laws, the good news is that the CPA contains significant overlap. The CPA also borrows terms and principles from Europe’s General Data Protection Regulation (GDPR), including assigning specific responsibilities to companies that collect consumer data (called “controllers”) and those that process data on a controller’s behalf (called “processors”). Please see our earlier articles on the California and Virginia privacy laws and the GDPR for additional guidance.

Checklist for the Colorado Privacy Act

Does the CPA Apply to Your Business?

  • The CPA applies to any business, including nonprofits, that operates in Colorado or targets residents of Colorado for goods or services, and satisfies one of the following thresholds:
    • Processes the personal data of 100,000 consumers or more per year
    • Derives revenue or receives a discount on the price of goods or services from the sale of personal data, and processes the data of 25,000 consumers per year
  • Similar to the California and Virginia laws, however, the CPA does not apply to information governed by the Health Insurance Portability and Accountability Act, the Graham-Leach-Bliley Act or the Fair Credit Reporting Act, among certain other information already governed by federal law
  • Additionally, the CPA exempts certain consumer requested services (e.g., delivery apps) and publicly available information (e.g., web scraping). The CPA’s definition of publicly available information is broader than the definition under California law

If Yes, the Company Must Provide Notices to Consumers of the Following Rights:

  • Right to Opt Out
    • Colorado consumers have the right to opt out of the processing of their personal data for (1) targeted advertising, (2) profiling or (3) the sale of that data
    • Like the California law, the CPA requires a universal “opt-out button” for websites
  • Right of Access
    • Colorado consumers have the right to confirm whether a business is processing their personal data and to access that data
  • Right to Correction
    • Colorado consumers have the right to correct inaccuracies in the data collected about them
  • Right to Deletion
    • Colorado consumers have the right to request that a business delete their personal data
  • Right to Data Portability
    • Colorado consumers have the right to obtain personal data in a portable and readily usable format

Recommended Best Practices for CPA Compliance:

  • Businesses that have not already done so should map their data flows and determine what personal data they store and process, and where and how it is stored
  • Businesses must conduct data protection assessments for certain activities, including targeted advertising, sales and processing of sensitive personal data
  • Businesses should review and update their privacy policies to capture all of the required notices to consumers described above
    • All of the CPA consumer rights are also provided under the California and/or Virginia privacy laws
  • Businesses should also review their agreements with third parties with whom they share personal data
    • Like the GDPR, the CPA assigns specific duties and liabilities to controllers of personal data and processors that handle that data as a service to the controller
  • Next, businesses should develop procedures for responding to consumer requests to exercise their rights under the CPA, including:
    • Responding to consumer requests within 45 days
    • Allowing consumers one free inquiry annually
    • Authenticating the consumer’s request, or declining the request if it cannot be authenticated
    • Establishing a “conspicuously available and easy to use” internal process for consumers to appeal any declined request
      • The right to appeal is included in Virginia’s privacy law, but not in California’s
    • Responding to any such appeal within 45 days after receipt, including a written explanation of the actions taken and the reasons supporting those actions
      • Businesses may extend the appeal response period by an additional 60 days, so long as they provide the consumer a reasonable explanation for the delay within the initial 45-day period
      • By contrast, Virginia’s privacy law allows 60 days to respond to an appeal
    • Informing the consumer of the ability to contact the Colorado attorney general regarding the results of the appeal

Additional Duties of Businesses Under the CPA

  • Businesses must also meet the following duties set forth in the CPA:
    • Duty of Transparency
      • Similar to the California and Virginia privacy laws, the CPA requires businesses to provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:
        • The categories of personal data collected or processed by the business
        • The purposes for which the categories of personal data are processed
        • How and where consumers may exercise their rights under the CPA
        • The categories of personal data that the business shares with third parties
        • The categories of third parties with whom the business shares personal data
      • If a business sells personal data to a third party or processes personal data for targeted advertising, the business must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing
    • Duty of purpose specification
      • A business must specify the express purposes for which it collects and processes personal data
    • Duty of data minimization
      • Following similar principles from Europe’s GDPR, a business’s collection of personal data under the CPA must be adequate, relevant and limited to what is reasonably necessary in relation to the specified purpose for which the data is collected
    • Duty to avoid secondary use
      • A business must not process personal data for purposes that are not reasonable to, or compatible with, the specified purposes for which the personal data is collected, without the consumer’s consent
    • Duty of care
      • A business must take reasonable measures to secure personal data from unauthorized acquisition, during both storage and use
    • Duty to avoid unlawful discrimination
      • A business must not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers
    • Duty regarding sensitive data
      • A business must conduct data assessments with regard to sensitive data
      • A business must not process a consumer’s sensitive data without first obtaining the consumer’s consent
        • Like the California and Virginia privacy laws, the CPA creates a category of “sensitive” personal data that includes race or ethnicity, religion, health conditions, sexual orientation, citizenship, biometric data, and other personal information

Enforcement

  • The CPA does not create a private right of action for individuals to sue for violations; instead, Colorado’s attorney general and district attorneys retain exclusive enforcement powers and may impose penalties up to $20,000 per violation
  • As stated above, the CPA will not go into effect until July 2023, with a cure period through 2024
  • Starting in 2025, although the cure period will have ended, the CPA will allow companies to seek guidance on their privacy practices from the Colorado attorney general in the form of opinion letters and no-action letters
    • The California and Virginia laws do not provide an avenue for such guidance