On July 7, 2021, Colorado enacted a new privacy law called the Colorado Privacy Act (CPA). The CPA is the third state-level omnibus data privacy law, similar in scope to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), respectively enacted in 2018 and earlier this year. The CPA will come into effect on July 1, 2023.
Like the VCDPA, the CPA uses concepts and terminology from the EU’s General Data Protection Regulation (GDPR). This includes the use of the term “personal data” for personal information and “processing” for the collection, modification, storage, use or disposal of personal information. CPA also adopts GDPR conceptualization of data processors and data controllers. Under the CPA, a processor is a natural or legal person who processes personal data on behalf of another person, and a controller is a person who, alone or jointly with others, determines the purposes and means of processing personal data. These definitions are similar to the definitions of these terms in the GDPR and VCDPA.
While the CPA is very similar in structure and obligations to the VCDPA, and also shares a number of requirements with the California Privacy Rights Act (CPRA), which amended the CCPA, the CPA differs from the two laws in some of the ways. its details. For example, the CPA does not exempt nonprofit entities and does not apply to employee or company data. Therefore, while it is clear that states expect each other for model privacy legislation, the various differences warrant an independent review of individual state law.
The CPA was enacted against the backdrop of multiple privacy bills advancing through state legislatures. To date, more than 25 state legislatures have introduced PCA-like privacy bills; the most recent being Ohio, where a bill was introduced two weeks ago. In addition to Ohio, CPA-type bills are currently under consideration in the legislatures of Massachusetts, New York, North Carolina and Pennsylvania.
APPLICABILITY AND SCOPE
The CPA applies to any business that (i) conducts business in Colorado or produces or provides commercial products or services intended for residents of Colorado, and (ii) either (a) controls or processes the personal data of 100,000 Colorado residents per year or (b) earns income or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.
The CPA exempts from its application data subject to certain other laws, including the Gramm-Leach-Bliley Act, the Medicare Portability and Liability Act, and the Fair Credit Reporting Act. The CPA also exempts employment records and certain data held by utilities, state government, and public higher education institutions. In particular, non-profit entities are not exempt from the requirements of the LPC.
DATA RIGHTS AND PRIVACY NOTICE
The CPA establishes a set of rights on consumer data similar to those established by the VCDPA and the CCPA: a right of access, a right of rectification, a right of deletion, a right of data portability, and the right of opt out of targeted advertising, sales of personal information and profiling decisions that produce legal or similar effects on a consumer. Controllers must respond to requests within 45 days and establish an appeal process.
Data controllers are required to provide consumers with an accessible, clear and meaningful privacy notice that describes the types of data collected, how it is used, what data is shared with third parties, and which third parties receive the data. The privacy notice must also indicate how and where the consumer can exercise their rights. Unlike VCDPA, re-identification of anonymized data is not required when responding to requests, and the rights of data subjects should not be respected with respect to anonymized data.
Like the VCDPA, data controllers are prohibited from processing “sensitive data” without consumer consent. Sensitive data is defined as data revealing racial / ethnic origin, religious beliefs, a physical or mental health problem or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data processed for individual identification purposes, and any data of a known child. Consent can be given through a “clear and affirmative act signifying the freely given, specific, informed and unambiguous agreement of a consumer”, such as an electronic declaration.
The CPA creates requirements for the relationships between data controllers and data processors. Data controllers should have contracts in place with each processor, addressing, among other things, audits of the processor and confidentiality and technical security requirements of the data processed. In particular, a processor must provide a data controller with the possibility of objecting each time a processor engages a data processor.
DATA PROTECTION ASSESSMENTS
Similar to the VCDPA, the CPA creates a requirement that data controllers perform a Data Protection Assessment (DPA) when the processing of data “presents an increased risk of harm to a consumer”. Such risk is presented when, for example, the processing creates a risk of unfair or deceptive treatment, disparate impact, financial or physical harm, intrusion into isolation or other offensive invasions of privacy, or other “substantial injuries” to consumers. DPAs are also necessary when a business intends to sell personal information or process sensitive data (see above). Like the VCDPA, DPAs must be provided to the Colorado Attorney General upon request. DPAs received by the Attorney General are confidential and exempt from the Colorado Open Records Act or any waiver of privilege rule.
The law expressly denies a right of private action and is enforced by the Colorado attorney general and Colorado district attorneys. The Colorado Attorney General also has the authority to promulgate implementing regulations, although the law does not set a deadline for those regulations. A CPA violation constitutes a deceptive business practice under the Colorado Consumer Protection Act, punishable by civil penalties of up to $ 2,000 per violation for each consumer and transaction, with a maximum penalty of $ 500,000 for related violations.