Privacy Three-Peat: Colorado Becomes Third State to Enact Comprehensive Data Privacy Law
|Footnotes for this article are available at the end of this page.|
On July 7, 2021, Colorado Governor Jared Polis signed into law S.B. 21-190, known as the Colorado Privacy Act (“CPA”). Colorado is now the third U.S. state to enact comprehensive consumer data privacy legislation, following California and Virginia. Like the others, the CPA grants Colorado residents the right to access, correct, and delete their personal data, as well as opt-out of targeted advertising and the sale of their personal data.
The California Consumer Privacy Act (“CCPA”) took effect January 1, 2020, and will be replaced by the California Privacy Rights Act (“CPRA”) on January 1, 2023, the same day the Virginia Consumer Data Protection Act (“VCDPA”) will take effect. The CPA is scheduled to take effect on July 1, 2023.
Applicability and Exemptions
The CPA applies to an entity that:
(a) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and
(b) (i) during a calendar year, controls or processes the personal data of 100,000 or more Colorado residents, or (ii) derives revenue (or receives a discount on the price of goods or services) from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado residents.1
Notably, unlike the CCPA/CPRA, the CPA does not include a company revenue threshold, and thus, a business with few Colorado customers does not become subject to the Colorado law merely due to its annual revenue.
Also notable is the fact that, unlike its California and Virginia counterparts, the CPA does not provide an exemption for non-profit entities.
The CPA contains several exemptions for entities or data that are subject to certain federal sectoral privacy laws and regulations. For example, the CPA exempts:
• certain data that is subject to the Health Insurance Portability and Accountability Act (“HIPAA”), but does not exempt “covered entities” and “business associates” at the entity-level;2
• certain processing involving federal substance abuse regulations, patient safety work product, and certain health research;3
• consumer reporting agencies (“CRAs”), furnishers, and users of consumer reports to the extent they perform activities that are regulated and authorized by the Fair Credit Reporting Act (“FCRA”);4
• data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) and the Driver’s Privacy Protection Act (“DPPA”);5
• financial institutions and their affiliates that are subject to GLBA and its implementing regulations;6
• data regulated by the Family Educational Rights and Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”);7 and
• air carriers and national securities associations.8
There are also exemptions tied to certain provisions of state law, including state medical records laws, the state health benefit exchange, as well as certain exemptions for state institutes of higher education and state and local agencies when acting in compliance with the law and for noncommercial purposes.9
The CPA applies to the personal data of “consumers,” which are defined as “Colorado resident[s] acting only in an individual or household context; and does not include an individual acting in a commercial or employment context, [or] as a job applicant.”10 Thus, like the VCDPA, the CPA exempts employment data.
The CPA uses the terms “controller” and “processor” to refer to businesses and service providers, respectively. The CPA grants consumers the following rights.
(1) Right to Opt-Out of Targeted Advertising, Sale, and Profiling
A consumer has the right to opt-out of the processing of his or her personal data for purposes of (i) “targeted advertising”—which is displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services; (ii) the “sale” of personal data—which is defined as the exchange of personal data to a third party for monetary or other valuable consideration, subject to certain exceptions; or (iii) “profiling” in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.11 Controllers are required to provide a clear and conspicuous method for consumers to opt-out.12 Beginning July 1, 2024, controllers will be required to accept opt-out requests through a universal opt-out mechanism that meets the technical specifications set out in the forthcoming regulations to be adopted by the Attorney General.13
(2) Right of Access, Correction, Deletion, and Data Portability
A consumer has the right to access, correct, and delete personal data that a controller maintains about him or her. When exercising the right to access personal data, a consumer has the right, no more than twice per calendar year, to obtain his or her personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance, subject to certain exceptions.14
(5) Right to Appeal Denial of a Consumer Request
The CPA requires controllers to establish an internal process whereby consumers can appeal a controller’s refusal to take action on a consumer request. The appeal process must be conspicuously available and as easy to use as the process for submitting a request.15
The CPA imposes the following obligations on controllers.
(1) Privacy Notice
A controller must provide consumers with a privacy notice that includes certain information prescribed in the CPA, including: (i) the categories of personal data collected or processed, (ii) the purposes for which categories of personal data are processed, (iii) the categories of personal data the controller shares with third parties, (iv) the categories of third parties with whom the controller shares personal data, (v) whether the controller sells or processes personal data for targeted advertising, and (vi) how consumers may exercise their rights granted by the CPA.16
(2) Duty of Purpose Specification and Duty to Avoid Secondary Use
A controller must specify the express purposes for which personal data is collected and processed, and may not process personal data for purposes that are not reasonably necessary to or compatible with the specified purpose(s) without first obtaining the consumer’s consent.17
(3) Duty of Data Minimization
A controller may only collect the personal data reasonably necessary in relation to the specified purposes for which the data is processed.18
(5) Duty of Care
A controller must take reasonable measures to secure personal data during storage and use. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.19
(6) Duty to Avoid Unlawful Discrimination
A controller may not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.20
(7) Duty Regarding Sensitive Data
A controller may not process a consumer’s sensitive data—defined as (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, sex life or sexual orientation, or citizenship or citizenship status, (b) genetic or biometric data that may uniquely identify an individual, or (c) personal data from a child under 13 years of age21—without first obtaining the consumer’s consent.22
(8) Data Protection Assessments
Before a controller may conduct processing that “presents a heightened risk of harm” to a consumer (e.g., targeted advertising, profiling, selling personal data, and processing sensitive data), it must conduct and document a data protection assessment of such processing activities.23 Data protection assessments must identify and weigh the benefits that may flow from the processing of personal data against the potential risks to the rights of the consumer, as mitigated by any safeguards employed by the controller.24 The results of the assessment must be made available to the Colorado Attorney General upon request.25
(9) Processor Agreements
Processing activities undertaken by a processor on behalf of a controller must be governed by a data processing agreement that contains certain terms as set out in the CPA.26
Under the CPA, processors must:
• adhere to the instructions of the controller;
• take appropriate technical and organizational measures to secure personal data, help the controller respond to consumer requests, and enable the controller to conduct data protection assessments;
• assist the controller in meeting its data security and data breach notification obligations under the CPA and Colorado’s data breach notification law;
• only engage a subcontractor pursuant to a written contract and only after providing the controller with an opportunity to object; and
• enter into a processing agreement with the controller.27
The CPA grants the Colorado Attorney General authority to issue CPA regulations. The Attorney General is required to adopt rules by July 1, 2023, that provide the technical specifications for one or more “universal opt-out mechanisms” discussed above, by which consumers can opt-out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.28
The CPA does not provide a private right of action for consumers.29 The Colorado Attorney General and District Attorneys will have exclusive authority to enforce the CPA.30 Prior to an enforcement action, a controller must be provided a notice of violation and a 60-day cure period if a cure is deemed possible.31 The maximum fine that can be imposed for a CPA violation is not specifically set forth in the CPA, but violations of the CPA are deemed a “deceptive trade practice” pursuant to the Colorado Consumer Protection Act, so the maximum penalty for a violation of the CPA will be $20,000 per violation (measured per consumer), and possibly as much as $50,000 in the event of a violation involving an elderly person.32
Some important takeaways, the first two relating to the hiring and onboarding process for employers subject to the CPA:
• The CPA exempts data “maintained for employment records purposes,” and the definition of “consumer” does not include an individual acting in a “commercial or employment context.” Therefore, personal data belonging to employees and job applicants is exempt.
• Actions by consumer reporting agencies (CRAs), furnishers of information, and users of consumer reports related to employment background screening that are covered under the FCRA, are exempt.
• Non-profits are not automatically exempt.
The CPA is scheduled to take effect on July 1, 2023, provided that the legislation is not subject to a ballot initiative and rejected by Colorado voters.33 With similar privacy bills under consideration in several other state legislatures, the trend of state-level privacy legislation appears likely to continue, and businesses will need to evaluate each law to determine whether and how it applies to their organization.
For assistance assessing the CPA’s impact on your organization, please contact Arnall Golden Gregory LLP Data Privacy team members, Kevin L. Coy, Montserrat C. Miller, or Erin E. Doyle.
 CO S.B. 21-190 § 6-1-1304(1).
 Id. at § 6-1-1304(2)(a), (g)(I), (h).
 Id. at § 6-1-1304(2)(c), (d), (f).
 Id. at § 6-1-1304(i).
 Id. at § 6-1-1304(2)(j)(II), (III).
 Id. at § 6-1-1304(2)(q),
 Id. at § 6-1-1304(2)(j)(IV), (V).
 Id. at § 6-1-1304(2)(l), (m).
 Id. at § 6-1-1304(2)(b), (j)(I), (o).
 Id. at § 6-1-1303(6).
 Id. at § 6-1-1306(a).
 Id. at § 6-1-1306(1)(a)(III).
 Id. at §§ 6-1-1306(1)(a)(IV), 6-1-1313.
 Id. at §§ 6-1-1306(1)(b), (c), (d), (e), 6-1-1307(1)(b).
 Id. at § 6-1-1306(3).
 Id. at § 6-1-1308(1).
 Id. at § 6-1-1308(2), (4).
 Id. at § 6-1-1308(3).
 Id. at § 6-1-1308(5).
 Id. at § 6-1-1308(6)
 Id. at § 6-1-1303(24).
 Id. at § 6-1-1308(7).
 Id. at § 6-1-1309(1), (2).
 Id. at § 6-1-1309(3).
 Id. at § 6-1-1309(4).
 Id. at § 6-1-1305(5).
 Id. at § 6-1-1305.
 Id. at § 6-1-1313(1)-(2).
 Id. at § 6-1-1310(1).
 Id. at § 6-1-1311(1).
 Id. at § 6-1-1311(1)(d). Such cure period will no longer be required beginning January 1, 2025.
 C.R.S. §§ 6-1-105, 6-1-112(1)(a), (c).
 CO S.B. 21-190 at § 6-7(1).
- Kevin L. Coy
- Erin E. Doyle