On July 8, the Colorado Privacy Act was signed into law with an effective date of July 1, 2023. Like other omnibus state laws passed in the United States (California and Virginia notably), there are a lot of details to review. Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include consumer rights, privacy notices, and opt outs of certain processing activities, such as the sale of personal data.
Normally the governor would have ten days to sign, but since the legislative session is over for 2021, he has thirty days to sign or veto (Colo. Const. Art. IV, Section 11). If he does not do either, it becomes law by default. If passed, the effective date will be July 1, 2023 as long as there is no referendum petition filed. If there is, then the law and its enforcement date are subject to election protocols.
Given the extent of the Colorado Privacy Act, we will provide a four-part blog series to address all the components:
- Part I – Overview
- Part II – Consumer Rights and how to implement your response program
- Part III – Special Processing Activities (targeted ads, sales, profiling) & Consent
- Part IV – Responsibilities of the Parties & Contracts
It is easy to see the similarities to and differences from other state omnibus privacy laws. Like Virginia, Colorado adopts many of the concepts of the European Union’s General Data Protection Regulation, such as controllers and processors. Controllers being “a person that, alone or jointly, determines the purposes for and means of processing personal data.” Likewise, a processor is someone that “processes personal data on behalf of a controller.” However, Colorado provides instruction on when processors become controllers through their actions.
Colorado makes it clear that the determination of controller and processor is “a fact-based determination that depends on the context in which personal data are to be processed” (s. 6-1-1305(7)). A processor who doesn’t follow the controller’s instructions in contract is then considered a controller, subject to requirements for controllers.
Personal data is “information that is linked or reasonably could be linked to an identified or identifiable individual,” but does not include de-identified information or publicly available information.
Another key term is consumers – which are Colorado residents, “acting only in an individual or household context,” but not “in a commercial [B2B] or employment context, as a job applicant, or the beneficiary of someone acting in an employment context.”
Who is subject to the Colorado Privacy Act?
The Colorado Privacy Act (“CPA”) applies to controllers who conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents plus one of the following two items:
- Controls or processes the personal data of 100,000 consumers or more during a calendar year or
- Derives revenue or receives a discount on the price of goods and services from the sale of personal data and processes or controls the personal data of at least 25,000 consumers – Colorado residents, but not B2B or employment contexts.
The CPA definition of “sale” is similar to California in that it is not limited to a pure monetary exchange for personal data, but includes “other valuable consideration.” There are exceptions, such as disclosures from controllers to processors for activities on the controller’s behalf, requested by consumers, or in furtherance of mergers and acquisitions. It also excludes intentional disclosures by consumers such as using the controller to interact with third parties or to the general public using mass media.
There are also broad exceptions to the CPA in general (s. 6-1-1304(2)), such as the CPA does not apply to to protected health information under the Health Insurance Portability and Accountability Act (along with its subsequent amendments, “HIPAA”), or personal data regulated under the Gramm-Leach-Bliley Act (“GLBA”), the Children’s Online Privacy Protection Act (“COPPA”), or the Family Educational Rights Act (“FERPA”), and quite a few other broad exceptions.
There is no private right of action in the CPA and it specifies that violations of the CPA cannot be used as the basis to support private rights of actions under other laws.
The Attorney General and District Attorneys have exclusive authority to enforce which can include injunctions, settlements, and penalties. The details of enforcement are under Article 1 of Section 6 of the Colorado Revised Statutes – the Colorado Consumer Protection Act – and provide penalties up to $2,000 for each violation, which is for each consumer or transaction, not to exceed $500,000 for any related series of violations. Section 6 of Colorado Revised Statutes addresses Consumer and Commercial Affairs, covering myriad topics from fair trade to health care coverage cooperatives. The Colorado Consumer Protection Act is included under Article 1 – Fair Trade and Restraint of Trade, which also includes the Notification of Security Breach under part 7, specific provisions.
Once in effect, the AG or district attorneys may issue a notice of violation of the CPA prior to bringing enforcement action if they think the violation can be cured and allow 60 days to do so. This is only permitted during the first year and a half. On January 1, 2025, the optional notice and time to cure are repealed.
To learn how TrustArc can help you prepare for the Colorado Privacy Act, visit trustarc.com.