On July 8, the Colorado Privacy Act was signed into law with an effective date of July 1, 2023. Like other omnibus state laws passed in the United States (California and Virginia notably), there are a lot of details to review. Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include consumer rights, privacy notices, and opt outs of certain processing activities, such as the sale of personal data.
In Part I of this series on the Colorado Privacy Act, we provided general information on the CPA along with key definitions and enforcement. In this part, we will address consumer rights and how controllers should implement their processes to respond to those rights. Please also look for the other blogs on the CPA for:
- Part III – Special Processing Activities (targeted ads, sales, profiling) & Consent
- Part IV – Responsibilities of the Parties & Contracts
Like most privacy laws, the CPA provides for consumer rights (section 6-1-1306), such as access, correction, deletion, and portability. Access includes the right to know if a controller is processing the consumer’s data, like Virginia provides. The right to portability provides the ability for the consumer to receive the data in their right to access in a portable and machine-readable format, where technically feasible, that enables consumers to transmit the data to another entity without hindrance. Controllers are not required to provide information that discloses trade secrets.
Consumers may only exercise the right to data portability twice per calendar year. California has a similar provision, related to certain rights (under sections 1798.110 and 1798.115), but with a significant difference – under California a business may refuse to grant the request more than twice in a twelve-month period. Although subtle, these differences must be operationalized.
There are other operational requirements, such as providing a method for consumers to submit rights requests in a manner consistent with normal interactions with the controllers and verifying authentication of the requests. Controllers are not permitted to require consumers to create accounts to submit requests but may require requests to be submitted through existing accounts.
Responding to Consumer Requests
Timeframes. Controllers must respond to consumer requests without undue delay and no later than 45 days after receiving the request. The timeframe may be extended to an additional 45 days, taking into account the complexity and number of requests, as long as the consumer is notified within the first 45 days and informed of the reasons for the delay.
Denials. If the request is denied, controllers must provide the determination within 45 days after receiving the request along with the reasons for the determination and how to appeal the decision within.
Charges. Controllers shall grant requests for free once annually. They can charge for the second or subsequent request within 12 months, calculated per the Colorado Open Records Act (section 24-72-205(5)(a)) of 25 cents per page for paper or the actual cost to produce the electronic copy. Note that the 12-month period does not necessarily correlate with the calendar year restriction on requests – another subtle difference that needs to be operationalized.
Authentication. If unable to authenticate the request, the controller can ask for additional information to do so. They are not required to respond to unauthenticated requests.
Appeals. Controllers must establish an internal appeals process for consumers who wish to do so upon their request being denied. The appeals process should be easy to find and request. Controllers must respond to an appeal within 45 days with a written explanation. This timeframe may be extended up to 60 additional days under the same extension requirements (reasonable given complexity and number of requests, notified within the first 45 days, including the reason for delay). The appeals response must include information on how the consumer can contact the Attorney General with concerns.
To learn how TrustArc can help you prepare for the Colorado Privacy Act, visit trustarc.com.