Reed Smith Client Alerts

The Colorado Privacy Act (CPA) has passed both houses of the Colorado General Assembly and now heads to the governor’s desk for final approval. If signed into law, it will take effect on July 1, 2023, and make Colorado the third state with a comprehensive privacy act. The act provides certain rights to consumers regarding their personal data, but lacks a private right of action. It also contains a 60-day right to cure prior to January 1, 2025. The legislation would impart significant rulemaking authority to Attorney General (AG) Phil Weiser.

On June 8, 2021, the Colorado Senate approved the latest set of amendments to the CPA. If signed into law by Gov. Jared Polis (D), it will be the third comprehensive privacy act in the country, following California and Virginia.

AG Weiser has long been outspoken about the need for a comprehensive state law, with the goal of building consumer confidence in data protection. With this legislation, he will wield significant rulemaking authority to flesh out consumer privacy protections for consumers.

Applicability of the CPA

The CPA applies to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either: (1) process the personal data of at least 100,000 consumers; or (2) derive revenue (or discounts) from the sale of personal data of at least 25,000 consumers. See SB21-190, section 1304.  “Consumer” is defined as a Colorado resident, but only “acting in an individual or household context,” and not anyone acting in a commercial or employment context, similar to the way in which the Virginia Consumer Data Protection Act (VCDPA) is structured. See section 1303(6).

The bill has a relatively broad definition of “personal data.” Specifically, “personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual” and excludes publicly available data and de-identified data. This definition is not as broad as the definition of “personal information” under the California Consumer Privacy Act (CCPA) but notably includes the term “reasonably linkable,” which means that digital data exchanges should be closely scrutinized to determine whether they fall within the scope of “personal data.”

The bill has some notable exclusions from its applicability, including for health care and credit information, employment data, and data collected from financial institutions. See section 1304(2). It also does not apply to de-identified data.

Controllers and processors

Like the VCDPA, Colorado’s CPA also includes the “processor” and “controller” delineation. A controller is defined as a “person that … determines the purpose for and means of processing personal data” and a processor is defined as a “person that processes personal data on behalf of a controller.” The CPA requires that the controller and any processor have a contractually defined relationship and that they ensure certain limitations and security procedures are in place to safeguard the personal data that flows as a result of their relationship. See section 1305.

1. Duties of controllers

The CPA imposes a number of duties on controllers. For example, controllers must be transparent and provide clear privacy notices that advise consumers of the categories of personal data they collect, the purpose of collection, methods for consumers to exercise their rights (as discussed below), an explanation of what data is shared with third parties (and categories of those third parties), and whether the controller sells personal data or uses it for targeted advertisement. See section 1308(a). The controller cannot require a consumer to create an account solely to exercise their rights, or alter the service provided to a consumer solely based on the consumer exercising their rights under the CPA. Also, the bill provides that controllers must minimize data by limiting collection to what is “reasonably necessary,” “adequate,” and “relevant” to the specified purpose.

Consistent with the standards of data minimization that new laws are imposing here in the United States (such as the VCDPA and the California Privacy Rights Act (CPRA)), the CPA requires controllers to limit the use of data to the specified purpose. The CPA also obliges controllers to take reasonable measures to secure personal data, and prohibits them from discriminating against users who exercise their choices under the CPA, as do the VCDPA and the CPRA. With regard to sensitive personal data, a controller must first obtain the consumer’s express consent before processing such data, which is similar to the VCDPA. The CPA does not limit a controller’s ability to comply with law enforcement or legal requirements that may be associated with the personal data, provide services requested by consumers, or prevent or detect theft or other illegal activity. See section 1304(3)(a)