Colorado passes comprehensive privacy law
On June 8, Colorado’s legislature passed the Colorado Privacy Act (ColoPA), which will impose new, substantial privacy requirements on many businesses operating in Colorado. Colorado Governor Jared Polis is expected to sign ColoPA into law by July 7. Although ColoPA will not take effect until July 1, 2023, businesses should not delay in considering its potential impact on their operations.
Colorado is the third U.S. state to pass a comprehensive privacy law, following California and Virginia. ColoPA shares many attributes with the California Privacy Rights Act (CPRA), which will amend the California Consumer Privacy Act (CCPA) effective, in most material respects, on January 1, 2023, and the Virginia Consumer Data Protection Act (VCDPA), which takes effect the same day. Despite a number of similarities, ColoPA also includes certain unique provisions discussed below, which businesses will need to consider and which may influence legislation in development in other states.
ColoPA applies to controllers—businesses that determine the purposes and means of processing personal data—who conduct business in Colorado and either (i) process personal data of more than 100,000 consumers per year or (ii) earn revenue from the personal data of over 25,000 consumers per year. “Consumers” include Colorado residents acting only in an individual, rather than commercial or employment, capacity. ColoPA also imposes a limited number of obligations on “processors,” who store and process data on behalf of a controller.
ColoPA’s distinction between controllers and processors mirrors the VCDPA, but other defined terms differ between the two laws. For example, ColoPA includes an expansive definition of “process,” which encompasses sale, storage, and other uses of personal data. ColoPA also defines “affiliates” to include companies that share 25% common ownership, which is lower than the 50% threshold imposed by the CPRA and VCDPA.
ColoPA does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act or to personal data collected in compliance with it. It similarly does not apply to air carriers or to certain data regulated by federal statutes, including the Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), and Family Educational Rights and Privacy Act (FERPA).
Highlights of ColoPA
- Broad enforcement authority: Although ColoPA does not create a private right of action, it grants enforcement authority to both the Colorado attorney general and district attorneys, who may bring actions with civil penalties up to $20,000 per violation. By contrast, the VCDPA solely vests enforcement in the attorney general. ColoPA affords businesses a 60-day cure period following notice of an enforcement action, however, this provision will sunset on January 1, 2025. Penalties may be assessed on a per-transaction and per-consumer basis and there is no cap on damages.
- Required disclosures and consumer rights: Like the CPRA and VCDPA, ColoPA provides consumers with various data subject rights, including: to access or delete personal data; correct inaccuracies in personal data; obtain personal data in a portable format; and opt out of the processing of their personal data for targeted advertising, sale, or profiling for certain activities.
Controllers must generally respond to consumer requests within 45 days and must create an appeal process for consumers whose requests they are not able to fulfill. Businesses should consider reviewing their privacy policies and procedures to ensure that they meet the disclosure and consumer rights requirements prescribed by ColoPA.
- Mandatory universal opt-out mechanism: ColoPA requires the attorney general to promulgate rules for a “universal opt-out” mechanism from targeted advertising and sale of personal data by July 1, 2023. After July 1, 2024, controllers must accommodate this mechanism. The scope of the universal opt-out provision is unique to ColoPA—although the CPRA introduces a similar procedure, it is not binding on businesses. Controllers may create procedures through which consumers may opt back in to the collection of personal data and supersede any previous decision to universally opt out. Given the uncertainty about how the attorney general will implement this provision, business should consider monitoring this topic for further updates.
- Contracts with processors: ColoPA requires processors and controllers to enter into a contract that describes instructions for processing personal data, the type of personal data being processed, and other provisions for carrying out the obligations of ColoPA. In addition, processors must ensure that any of their subcontractors are contractually obligated to fulfill their duties under ColoPA. Controllers should consider identifying the processors that they engage with and drafting and negotiating data contracts with them. Businesses should also note that the distinction between processor and controller is a context-dependent inquiry: if a processor begins to act as a controller, it may assume additional obligations under ColoPA.
- Data protection assessments: Similar to the VCDPA, ColoPA requires controllers to conduct “data protection assessments” before using data for “processing that presents a heightened risk of harm to a consumer.” Activities requiring a data protection assessment include processing of personal data for targeted advertising or profiling, sale of personal data, and processing of sensitive data. While these assessments are not publicly accessible, they are reviewable by the attorney general. Although the data protection assessment requirement does not apply retroactively, companies that expect to engage in new processing of consumer’s personal data after July 2023 should ensure they maintain a process to conduct assessments.
The passage of ColoPA marks a third major privacy law that will come into effect in 2023, along with the VCDPA and CPRA. Businesses should consider assessing the applicability of these laws to their operations and the measures needed to ensure compliance. Businesses also should keep a close watch on the continued evolution of U.S. data privacy legislation, as each new law that is passed can have a significant impact on their compliance programs. Previous client updates regarding related U.S. privacy laws are available here.