On July 8, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA), the third comprehensive privacy law enacted at the state level following the passage of similar legislation in California (CCPA) and Virginia (CDPA). The CPA's effective date is July 1, 2023.
The CPA has a similar scope to its predecessors, and adopts many of the same data controller obligations and consumer rights as the laws in California and Virginia. The CPA also does not adopt a private right of action on the part of consumers, a feature missing from the CCPA (except in response to a data breach) and the CDPA as well.
However, the CPA does introduce certain unique elements, including an enforcement provision that distributes enforcement power among both the state attorney general's office and district attorneys, and a right to opt out provision mandating data controllers make available to consumers a one-click, universal opt-out feature.
Other unique elements of the CPA include the lack of a specific entity-level exemption for HIPAA-regulated entities, the absence of any revenue thresholds in specifying the law's applicability, and a cure window that lasts for 60 days following notification to a data controller by an enforcement arm (subject to a two-year sunset provision).
Also notable is that the CPA puts in place broad requirements regarding data protection assessments. In particular, it states that controllers may not engage in data processing "that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities." The text of the CPA does attempt to further define processing activities that may present "heightened risk of harm" to consumers, and so includes controllers’ processing sensitive data, selling consumers’ personal data, or processing data for purposes of targeted advertising, or for “profiling if the profiling presents a reasonably foreseeable risk of . . . unfair or deceptive treatment of [consumers,] financial or physical injury to consumers . . . [or] physical or other intrusion upon the solitude or seclusion . . . of consumers if the intrusion would be offensive to a reasonable person.”
For the most part, the CPA treads familiar territory. Its scope extends to any data controller who "[c]onducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado," and who "controls or processes the personal data of at least 100,000 consumers or more during a calendar year," or "derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more."
Numerous exemptions are made, including for deidentified data, data collected from individuals acting in a "commercial or employment context," and, generally, for entities regulated by the Gramm-Leach-Bliley Act. The CPA also omits from its definition of "sale" a number of controller- and processor-directed disclosures, such as disclosure of personal data as directed by a consumer or of data made publicly available by a consumer, disclosure of personal data to a “third party for the purposes of providing a product or service requested by the consumer,” and disclosure of personal data by a controller to an affiliate of the controller, or to a processor “that processes personal data on behalf of a controller.”
Importantly, the CPA defines "sale," in a manner similar to the CCPA, as "the exchange of personal data for monetary or other valuable consideration by a controller to a third party." The CPA, therefore, introduces the same questions the CCPA does regarding the interpretation of "other valuable consideration" in defining the sale of consumer data.
The CPA extends five primary rights to consumers, all of which are similar to consumer rights found among the CCPA and the CDPA, and include rights of access, correction, deletion, data portability, and the right to opt out of targeted advertising, the sale of personal data, and profiling which could lead to legal effects for a consumer. Moreover, the Colorado attorney general is mandated to further specify the universal opt-out mechanism, noted above, prior to the CPA's effective date in 2023. The law notably provides consumers with the right to appeal a data controller's decision not to take corrective action within a reasonable time period.
Further, the CPA applies many similar duties to data controllers as those found among the California and Virginia laws. These include specific duties of transparency, purpose specification, data minimization, care, and avoidance of secondary use and unlawful discrimination.
Penalties under the CPA are delineated by the Colorado Consumer Protection Act. Any entity found in noncompliance with the CPA is deemed to have engaged in a “deceptive trade practice,” and can be fined up to $20,000 per violation. The Colorado Consumer Protection Act notes that a “violation” of any provision of the CPA “shall constitute a separate violation with respect to each consumer or transaction involved” in the subject act.