On June 8, 2021, the Colorado Senate approved the latest set of amendments to the CPA. If signed into law by Gov. Jared Polis (D), it will be the third comprehensive privacy act in the country, following California and Virginia.
AG Weiser has long been outspoken about the need for a comprehensive state law, with the goal of building consumer confidence in data protection. With this legislation, he will wield significant rulemaking authority to flesh out consumer privacy protections for consumers.
Applicability of the CPA
The CPA applies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either: (1) process the personal data of at least 100,000 consumers; or (2) derive revenue (or discounts) from the sale of personal data of at least 25,000 consumers. See SB21-190, section 1304. “Consumer” is defined as a Colorado resident, but only “acting in an individual or household context,” and not anyone acting in a commercial or employment context, similar to the way in which the Virginia Consumer Data Protection Act (VCDPA) is structured. See section 1303(6).
The bill has a relatively broad definition of “personal data.” Specifically, “personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual” and excludes publicly available data and de-identified data. This definition is not as broad as the definition of “personal information” under the California Consumer Privacy Act (CCPA) but notably includes the term “reasonably linkable,” which means that digital data exchanges should be closely scrutinized to determine whether they fall within the scope of “personal data.”
The bill has some notable exclusions from its applicability, including for health care and credit information, employment data, and data collected from financial institutions. See section 1304(2). It also does not apply to de-identified data.
Controllers and processors
Like the VCDPA, Colorado’s CPA also includes the “processor” and “controller” delineation. A controller is defined as a “person that … determines the purpose for and means of processing personal data” and a processor is defined as a “person that processes personal data on behalf of a controller.” The CPA requires that the controller and any processor have a contractually defined relationship and that they ensure certain limitations and security procedures are in place to safeguard the personal data that flows as a result of their relationship. See section 1305.
1. Duties of controllers
The CPA imposes a number of duties on controllers. For example, controllers must be transparent and provide clear privacy notices that advise consumers of the categories of personal data they collect, the purpose of collection, methods for consumers to exercise their rights (as discussed below), an explanation of what data is shared with third parties (and categories of those third parties), and whether the controller sells personal data or uses it for targeted advertisement. See section 1308(a). The controller cannot require a consumer to create an account solely to exercise their rights, or alter the service provided to a consumer solely based on the consumer exercising their rights under the CPA. Also, the bill provides that controllers must minimize data by limiting collection to what is “reasonably necessary,” “adequate,” and “relevant” to the specified purpose.
Consistent with the standards of data minimization that new laws are imposing here in the United States (such as the VCDPA and the California Privacy Rights Act (CPRA)), the CPA requires controllers to limit the use of data to the specified purpose. The CPA also obliges controllers to take reasonable measures to secure personal data, and prohibits them from discriminating against users who exercise their choices under the CPA, as do the VCDPA and the CPRA. With regard to sensitive personal data, a controller must first obtain the consumer’s express consent before processing such data, which is similar to the VCDPA. The CPA does not limit a controller’s ability to comply with law enforcement or legal requirements that may be associated with the personal data, provide services requested by consumers, or prevent or detect theft or other illegal activity. See section 1304(3)(a)
2. Duties of processors
While a controller is the primary party responsible for personal data as to the consumer, the CPA also regulates processors. Under the CPA, a controller and processor must have a contractually defined relationship that includes particular mandated provisions. The contract must set out the nature and purpose of the processing, the type of data processed and duration of processing, and what happens to the data at the end of the contract. A processor also must assist the controller in meeting its obligations to consumers by helping the controller respond to consumers’ requests, meet security and breach notification obligations, and make available all information necessary to conduct a data protection assessment. See section 1305(1)-(2). A processor also must ensure that each person processing the data operates under a duty of confidentiality and must provide the controller an opportunity to object before engaging a subcontractor. See section 1305(3).
Consumer rights
Under the CPA, a consumer has the right to opt out of the processing of personal information for: targeted advertising, the sale of personal data, or profiling for decisions that affect the consumer. See section 1306(1)(a). Similar to the CCPA, “sale” is broadly defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” A controller must provide a clear and conspicuous method to exercise the opt-out option, and the consumer can designate a third party to exercise that option for them, including the use of technology (such as a universal opt-out signal). The CPA also provides consumers with the right to confirm whether a controller is processing their personal data, and the right to access such data. See section 1306(1)(b). The bill gives consumers the right to correct inaccuracies in their personal data, to delete it, and to receive the data in a portable manner. See section 1306(1)(c)-(e). A controller must respond to any of these requests within 45 days (which can be extended by an additional 45 days, if reasonably necessary). The CPA also requires the controller to offer an appeals process if any request is denied. The bill provides for an exception if the controller processes de-identified data, in which case re-identification should not be required. See section 1307.
Data protection assessment
Under the CPA, controllers also must perform, and document, a data protection assessment (DPA) before processing personal data in a manner that presents a “heightened risk of harm to a consumer.” See section 1309. This includes: processing data for targeted advertising if there is a reasonably foreseeable risk of unfair or disparate treatment, financial or physical injury, intrusion on privacy, or other substantial injury; selling personal data; and processing sensitive data. The DPA must weigh the potential benefits, versus potential risks, to the consumer, and should consider possible ways to mitigate those risks. The assessment must be documented and made available to the AG upon request, but is otherwise not publicly available, including through public records requests. As under the VCDPA, attorney-client privilege will not be waived when disclosing a DPA to the state AG’s office.
Enforcement and liability
The CPA does not contain a private right of action. It is only enforceable by Colorado’s AG and the district attorneys. Prior to taking any enforcement action, the AG or district attorney must provide the controller with a notice of violation. The controller then has 60 days to cure the violation before any enforcement action can be taken. However, the right to cure will expire on January 1, 2025. Each violation of the CPA is subject to a civil penalty of up to $20,000. Each affected consumer or transaction is a separate violation, and the statute does not cap the number of violations or penalty amount. See C.R.S. 6-1-112.
Attorney General’s rulemaking authority
The bill provides the Colorado AG with broad rulemaking authority. By July 1, 2023, the AG shall adopt rules detailing the technical specifications for a universal opt-out mechanism, which must not allow unfair advantage by a platform or browser manufacturer and must inform consumers about their opt-out rights. See section 1313. The mechanism also must not adopt any default consent setting, but instead must create a clear, user-friendly experience. The AG also has the option to adopt rules governing opinion letters and guidance, which include a good-faith reliance defense.
The Colorado AG has advised organizations to work with his office in a “straightforward and collaborative manner,” with criticality around taking responsibility for a given situation and providing an explanation as to how a situation is being remedied. For more information on the state AG’s views on data privacy, please reference our interview from late 2020.
Client Alert 2021-169