On July 8, the Colorado Privacy Act was signed into law with an effective date of July 1, 2023. Like other omnibus state laws passed in the United States (California and Virginia notably), there are a lot of details to review. Colorado is perhaps an example of what we can expect in the future – some similarities, some differences, and some new elements. Similarities include consumer rights, privacy notices, and opt outs of certain processing activities, such as the sale of personal data.
This is the fourth part in a four-part series on the Colorado Privacy Act. In this part, we address the responsibilities of both controllers and processors, data protection assessments, and contracts. Please see the first three parts on:
- Part I – Overview
- Part II – Consumer Rights and how to implement your response program
- Part III – Special Processing Activities (targeted ads, sales, profiling) & Consent
Responsibilities of Controllers and Processors & Contracts
The obligations on each party are not uncommon. The controller and processor must be bound by written contracts and are each responsible for only the measures allocated to them, which must be clearly documented.
The CPA requires that controllers follow certain requirements, most presented as duties. One of the newer requirements is a specific requirement around secondary use of personal data.
Duty of transparency. Controllers must provide a privacy notice as listed above, comprising details about the personal data processed, consumer rights and how to opt out of certain activities, contact information, categories of third parties to which data is shared or sold (given the broad definition of sell).
Controllers are also not permitted to change the cost of availability of a product or service based on consumers exercising their rights.
Duty of purpose specification. A controller shall specify the express purpose is for which personal data are collected and processed.
Duty of data minimization. The collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.
Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.
Duty of care. Controllers must take reasonable measures to secure personal data from unauthorized acquisition during both storage and use. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
Duty to avoid unlawful discrimination. Controllers shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
As noted above, controllers are also not permitted to change the cost or availability of services or products in relation to consumers exercising their rights – which is what the CCPA provides as their right to non-discrimination.
Duty regarding sensitive data. A controller shall not process sensitive data without first obtaining the consumer’s consent or process personal data concerning a known child without obtaining consent from the parent or guardian.
Data from children. Sensitive data includes that of children (under the age of 13).
Definition of sensitive data. Sensitive data includes personal data revealing racial or ethinic origin, religious beliefs, a mental of physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or personal data from a known child.
Data Protection Assessments
A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment on each of its processing activities that involve personal data acquired on or after the effective date of the section that present a heightened risk of harm to a consumer.
Heightened risk of harm includes:
- Selling personal data
- Processing sensitive data
- Processing personal data for targeted advertising or profiling if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or unlawful despair impact on consumers,
- financial or physical injury to Consumers,
- physical or other intrusion upon the Solitude or seclusion of the Private Affairs or concerns of consumers if the intrusion would be offensive to a reason or purpose a reasonable person, or
- other substantial injuries to consumers.
Data protection assessments must identify and weigh the benefits, both direct and indirect, to itself, the consumers, other stakeholders, and the public against the potential risks to the rights of the consumer. The assessments should consider the safeguards that can reduce risks, including the use of de-identified data, expectations of consumers, and the relationship between the consumers and the controller.
These assessments must be provided to the Attorney General upon request, but the CPA states that the AG can use these assessments to determine compliance with any laws. On the positive side, a single data protection assessment can be used for processing activities that are similar. Data protection assessment requirements apply to processing activities created or generated after July 1, 2023 and are not retroactive.
- Adhere to the instructions of the controllers, including nature and purpose of processing along with type of personal data and duration of processing,
- Assist controllers in meeting their obligations regarding:
- consumer rights requests,
- security measures,
- breach notification, and
- data protection assessments
- Ensure each person accessing personal data are under confidentiality provisions
- Engage subprocessors only after giving controllers an opportunity to object and require written contract with the same obligations that apply to the processor, and
- Implement technical and organizational security measures based on risk and allocate responsibility between the parties.
Contracts between controllers and processors must include:
- The elements listed above, plus
- Return or delete data at termination unless required by law to retain (optional),
- Processor to provide controller documentation to demonstrate compliance, and
- Audit/audit report requirements
Contracts are not permitted to reduce or eliminate liabilities on either party imposed by the CPA.
To learn how TrustArc can help you prepare for the Colorado Privacy Act, visit trustarc.com.