Colorado Is the Latest State to Enact a Data Privacy Law: Here’s What You Need to Know

Colorado has become the third state to enact a comprehensive data privacy statute imposing compliance obligations on legal entities that collect or process the personal data of its residents. The Colorado Privacy Act (CPA) is based on and enforces many of the same key concepts as do other data privacy statutes and regulations. As such, companies that are implementing or updating compliance programs for the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (CDPA) will be familiar with the main provisions of the CPA and likely will have an easier time achieving compliance. There are, however, some important distinctions that companies must consider as part of any ongoing compliance efforts in anticipation of the CPA’s effective date of July 1, 2023.

As a threshold matter, the CPA applies to legal entities that (i) conduct business in Colorado or produce or deliver commercial products or services that are “intentionally targeted to residents of Colorado,” and (ii) either (a) control or process personal data of more than 100,000 consumers per year or (b) earn revenue (or receive a discount on goods or services) from the sale of personal data and control or process personal data of more than 25,000 consumers. Notably, the CPA does not include any minimum revenue threshold and, therefore, the CPA may apply to any entity regardless of its total annual revenue or how much annual revenue is derived from the sale of personal data.

Companies that meet these initial thresholds should be aware of the following provisions to determine the scope and extent of compliance obligations, if any:

• The CPA defines “consumer” narrowly as a Colorado resident acting only in an individual or household context and, unlike other privacy statues, explicitly exempts from its purview someone acting in a commercial or employment context.
• The CPA defines “personal data” as information that is linked or reasonably linkable to an identified or identifiable natural person, with exceptions for “de-identified data” and “publicly available information.”
• The CPA provides certain entity-based exemptions to regulated entities, including financial institutions subject to the Gramm-Leach-Bliley Act, airlines, national securities associations, public utilities, and certain institutions of higher education. The CPA does not apply to entities qualifying under these exemptions even though the data collected or processed would otherwise be covered by the statute.
• The CPA also provides certain data-based exemptions for personal data subject to the Gramm-Leach-Bliley Act, Family Educational Rights and Privacy Act, Children’s Online Privacy Protection Act of 1998, Driver’s Privacy Protection Act of 1994, protected health information under the Health Insurance Portability and Accountability Act (HIPAA), personal information subject to the Fair Credit Reporting Act, and data maintained for employment records purposes. As with the entity exemptions, the CPA does not apply to personal data within the scope of these parameters even though the data collected or processed would otherwise be covered by the CPA.

Any entity subject to the CPA that is a data “controller” (i.e., a person who determines the purposes and means of processing the data) must comply with various requirements, including the following:

• Providing consumers with an accessible and clear privacy notice that includes the categories of the personal data collected or processed, the purposes of the processing, whether and with whom personal data is shared, and how to exercise the consumer’s rights and appeal.
• Limiting the collection of personal data to what is “reasonably necessary” for the specific purposes the data is being processed, and prohibiting processing for any other purposes absent express consent from the consumer.
• Implementing security measures that are “appropriate to the volume, scope and nature of the personal data processed.”
• Prohibiting the processing of “sensitive data” absent express consent from the consumer.

The CPA also requires a data controller to enter into a written contract with any data “processor” (i.e., a person who processes personal data on behalf of a controller). The contract must include a binding set of processing instructions, specific purpose of processing, type of personal data to be processed, duration of processing, restrictions on engaging subcontractors, a duty of data confidentiality for each processor, and an obligation to delete or return all personal data at the controller’s option upon termination. Because of the increased risk of a security incident from third party access or processing, these types of requirements are becoming the norm when it comes to third-party contracts.

Additionally, the CPA provides consumers with the following rights with respect to the protection and control of their personal data:

• The right to confirm whether a controller is processing a consumer’s personal data and to access that data
• The right to correct any inaccurate personal data
• The right to delete personal data concerning the consumer
• The right to data portability
• An appeal process for refusal of any of the consumer’s rights

Finally, there are numerous provisions unique to the CPA. Perhaps the most notable is the opt-out regime, which requires controllers who process personal data for purposes of targeted advertising or the sale of personal data to provide a “universal opt-out mechanism” for consumers who do not want their data used for advertising or sold for any purpose. Because this requirement is unique to Colorado, the CPA provides an additional year – until July 1, 2024 – for businesses to comply. It is also notable that the CPA, unlike some other consumer-oriented privacy statutes, does not provide a private right of action for alleged violations or non-compliance, but allows both the state district attorneys and the state attorney general to enforce the statute.

The CPA is not groundbreaking, but it reflects the growing trend of individual states adopting comprehensive legislation to protect residents’ personal data. It also highlights the difficulty for affected businesses: that is, each state’s regime has different compliance obligations and different compliance deadlines. As noted, compliance with the CPA is required by July 1, 2023 (except for the “universal opt-out mechanism,” which requires compliance by July 1, 2024). But businesses should also be aware that the compliance deadline for the California CPRA is January 1, 2023, and the deadline for the Virginia CDPA is July 1, 2022. Although compliance with multiple privacy regimes can seem overwhelming, businesses that already have compliance plans in place for the EU’s GDPR or California’s CCPA, or have plans in motion for future compliance with the CPRA or CDPA requirements, will have an easier time complying with the CPA. However, it is important to understand the nuances of each statute, remain diligent in your compliance efforts, and seek experienced legal counsel to ensure that a comprehensive program is in place and regularly updated in order to meet the ever-evolving compliance obligations.