The Colorado Privacy Act: What It Is and How To Stay Compliant
Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law in July, 2021, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law to protect its residents. The Colorado Privacy Act went into effect on July 1, 2023. The CPA gives consumers new rights and requires some businesses and other organizations to abide by new responsibilities when it comes to the collection and use of personal data.
Key Components:
The CPA applies to entities that conduct business or deliver commercial products or services targeted to residents in Colorado and either:
- process or control the data of 100,000 or more consumers annually or
- receive any revenue or discount from selling the personal data or control of personal data of 25,000 or more consumers annually.
The CPA defines "processing" as "the collection, use, sale, storage, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to Process Personal Data." "Controlling" uses the common definition of determining the purposes for and means of Processing Personal Data.
These thresholds and definitions are similar to those in several other states. However, what makes the CPA unique is that it does not exempt nonprofit entities. For-profit and nonprofit entities must comply with several provisions, which include:
Ensuring consumers' rights to the following:
The right to access their own data:- Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
The right to data portability:- Consumers have “the right to obtain a personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
The right to delete:- Consumers have “the right to delete personal data concerning the consumer.”
The right to correct inaccuracies in their personal data:- Consumers have “the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.”
The right to opt out:- In Colorado, consumers can opt out of the sale of their personal data or targeted advertising, but this process requires authentication.
The right to appeal:- Under the CPA, a business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.
Obtaining consent before processing sensitive data:- This includes data about race or ethnic origin, religious beliefs, mental or physical health, citizenship status, sexual orientation, and identifying biometrics. Additionally, any personal data of children under the age of 13 falls under this umbrella.
Providing privacy notices about how data will be used and processed:- Data must be processed in a way that "ensures reasonable and appropriate administrative, technical, organizational, and physical safeguard." Among other factors, businesses should consider industry standards, the size and complexity of the organization, and the sensitivity of the data when determining reasonable safeguards.
Refraining from discriminating against consumers who exercise their rights:-
Entering into Data Protection Agreements with vendors to ensure compliance with the CPA and to put them in the role of "processor," as opposed to "third party" to whom opt-out rights would apply.
Key Roles Under the Colorado Privacy Act
Consumer: Under the Colorado Privacy Act, the definition of a consumer is more narrow than the CCPA. It only includes a Colorado resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
Data controller: The Colorado Privacy Act defines a data controller as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. By this definition, a data controller could be a company, but is not explicitly limited to businesses.
Data processor: A data processor, under the Colorado Privacy Act, is a natural or legal entity that processes personal data on behalf of a controller. While most data processors are corporate entities, they can also be another third party.
Key obligations in the Colorado Privacy Act
Organizations subject to the Colorado Privacy Act are compelled to fulfill a number of duties, including the following.
Duty of Care: Organizations must take reasonable measures to secure data from unauthorized access. This includes protecting data during storage and use.
Duty of Data Minimization: Collect only consumers’ personal data that is adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose.
Duty of Purpose Specification: Make it clear to consumers why their personal data is being collected and for what specific purposes.
Key obligations in the Colorado Privacy Act
Organizations subject to the Colorado Privacy Act are compelled to fulfill a number of duties, including the following.
Duty of Care: Organizations must take reasonable measures to secure data from unauthorized access. This includes protecting data during storage and use.
Duty of Data Minimization: Collect only consumers’ personal data that is adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose.
Duty of Purpose Specification: Make it clear to consumers why their personal data is being collected and for what specific purposes.
Duty of Transparency: Organizations must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- Categories of personal data collected or processed by the organization or a processor
- Purposes for which the categories of personal data are processed
- Estimate of how long the organization can or will maintain the consumer’s personal data
- Explanation of how and where consumers may exercise their rights*
- Categories of personal data that the controller shares with third parties
- Categories of third parties, if any, with which an organization shares personal data
- Duty Regarding Sensitive Data
- Sensitive data may not be processed without first obtaining the consumer’s consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian.
Duty to Avoid Secondary Use: Organizations may not process consumers’ personal data for purposes that are not reasonable or necessary to the communicated purpose.
Duty to Avoid Unlawful Discrimination: Organizations may not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers.
Duty to Conduct Data Protection Assessments: Data protection assessments must be conducted for each personal data processing activity that presents a “heightened risk of harm to consumers” before engaging in that data processing. Upon request, organizations must make these data protection assessments available to the Attorney General’s office.
A “heightened risk of harm to a consumer” includes:
The processing of personal data for purposes of targeted advertising The processing of personal data for purposes of profiling if profiling presents a reasonably foreseeable risk of: 1) Unfair or deceptive treatment or disparate impact of consumers 2) Financial or physical injury to consumers 3) Physical or other intrusions on consumers’ privacy 4) Other substantial injuries to consumers The sale of personal data The processing of sensitive data
A “heightened risk of harm to a consumer” includes:
- The processing of personal data for purposes of targeted advertising
- The processing of personal data for purposes of profiling if profiling presents a reasonably foreseeable risk of:
1) Unfair or deceptive treatment or disparate impact of consumers
2) Financial or physical injury to consumers
3) Physical or other intrusions on consumers’ privacy
4) Other substantial injuries to consumers
- The sale of personal data
- The processing of sensitive data
About Ardent Privacy:
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data centric approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, data inventory, map, data minimization, and securely delete data in enterprises to reduce legal and financial liability.