On July 7, 2021, Gov. Jared Polis signed into law the Colorado Privacy Act (CPA), which will go into effect on July 1, 2023. Like California’s and Virginia’s data privacy laws, the CPA aims to provide consumers with greater control over their data and enhanced transparency with respect to how their data is used. However, businesses should pay close attention to the unique nuances of the CPA, which are likely to complicate compliance strategies.
The CPA applies to data “controllers” that “conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado” and that:
- “Control or process the personal data of [100,000 Colorado residents] or more during a calendar year,” or
- “Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of [25,000 Colorado residents] or more.”
“Controller” is defined as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data.”
The CPA covers “consumers” who are defined as “Colorado resident[s] acting only in an individual or household context.” Importantly, it does not cover individuals “acting in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context.”
The CPA applies to “personal data” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual” and “[d]oes not include deidentified data or publicly available information.”
The CPA does not apply to:
- Certain healthcare related information, including information related to HIPAA compliance;
- “Activit[ies] involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by” (1) consumer reporting agencies, (2) furnishers of information for use in a consumer report, and (3) users of a consumer report;
- Personal data in connection with certain state and federal laws, including:
- The Colorado Health Benefit Exchange Act;
- The federal Gramm-Leach-Bliley Act;
- The federal Driver’s Privacy Protection Act of 1994;
- The federal Children’s Online Privacy Protection Act of 1998; or
- The federal Family Educational Rights and Privacy Act of 1974.
- “Data maintained for employment records purposes;”
- Air carriers;
- A national securities association registered pursuant to the Securities Exchange Act of 1934;
- Financial institutions covered under the federal Gramm-Leach-Bliley Act and implementing regulations;
- “Customer data maintained by” public utilities or state body “if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;” and
- “Data maintained by” state and municipal government entities (including state institutions of higher education) “if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes.”
Rights and Requirements
The CPA provides consumers with the following rights:
- “[T]he right to opt out of the processing of personal data concerning the consumer for the purposes of” (1) “targeted advertising,” (2) “sale of personal data,” and (3) “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”
- “[T]he right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
- “[T]he right to obtain [their] personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
- “[T]he right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of processing the consumer’s personal data.”
- “[T]he right to delete personal data concerning the consumer.”
It bears emphasizing that the CPA’s right to deletion, like Virginia’s, is broader than California’s in that it applies to any personal data concerning the consumer, not just personal data collected from the consumer herself.
The CPA prohibits a controller from “increase[ing] the cost of, or decreas[ing] the availability of, [a] product or service” due solely to a consumer’s “exercise of a right” where such action by the controller is “unrelated to feasibility or the value of a service.”
The CPA requires a controller to “inform a consumer of any action taken on a request…without undue delay and, in any event, within  days after receipt of the request.” The CPA permits a controller to extend the 45-day period by an additional 45 days “where reasonably necessary, taking into account the complexity and number of the requests.” A controller exercising the additional 45-day period must inform the consumer of the extension within the initial 45 days following receipt of the request in addition to the reasons for the extension.
A controller is not required to comply with a consumer’s request “if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.”
If a controller does not take action in response to a consumer request, the controller must “inform the consumer, without undue delay and, at the latest within  days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller.”
The CPA requires controllers to “establish an internal process whereby consumers may appeal a refusal to take action on a request.” Controllers must respond to an appeal within 45 days of receipt with the ability to extend for an additional 60 days “taking into account the complexity and number of requests serving as the basis for the appeal.” A controller must inform a consumer of the extension within 45 days of receiving the appeal “together with the reasons for the delay.” A controller is also required to inform consumers of their right to contact the Colorado Attorney General regarding the result of their appeal.
The CPA requires controllers to adhere to the following requirements:
- “[P]rovide consumers with a reasonably accessible, clear, and meaningful privacy notice” including:
- “The categories of personal data collected or processed by the controller or a processor1;”
- “The purposes for which the categories of personal data are processed;”
- “How and where consumers may exercise their rights [under the CPA], including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;”
- “The categories of personal data that the controller shares with third parties, if any;”
- “The categories of third parties, if any, with whom the controller shares personal data.”
- “[C]learly and conspicuously disclose the sale [of personal data to third parties] or processing [of personal data for targeted advertising], as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.”
- “[S]pecify the express purposes for which personal data are collected and processed.”
- Ensure “collection of personal data [is] adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
- “[N]ot process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.”
- “[T]ake reasonable measures to secure personal data during both storage and use from unauthorized acquisition.” Such measures “must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
- “[N]ot process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
- “[N]ot process a consumer’s sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or guardian.” “Sensitive data” is defined as (1) “[p]ersonal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,” (2) [g]enetic or biometric data that may be processed for the purpose of uniquely identifying an individual,” or (3) [p]ersonal data from a known child.” “‘Child’ means an individual under 13 years of age.”
In addition, the CPA prohibits controllers from “conduct[ing] processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of” such data processing activities. The data protection assessment requirement only applies to “personal data acquired on or after” the CPA’s effective date and to processing activities created or generated after July 1, 2023. The requirement is not retroactive. “Processing activities that present a heightened risk of harm to a consumer” include:
- “Processing personal data for purposes of targeted advertising or for profiling if that profiling presents a reasonably foreseeable risk of:
(I) [u]nfair or deceptive treatment of, or unlawful disparate impact on, consumers; (II) [f]inancial or physical injury to consumers;
(III) [a] physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
(IV) [o]ther substantial injury to consumers;”
- “Selling personal data”; and
- “Processing sensitive data.”
As part of the data protection assessment, controllers must “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, and other stakeholders, and the public against potential risks to the rights of the consumer associated with the processing, as mitigated by the safeguards that the controller can employ to reduce the risks.” Controllers are directed to “factor into th[e] assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of processing and the relationship between the controller and the consumer whose personal data will be processed.”
Data processing assessments must be made available to the Colorado Attorney General upon request.
Enforcement and Penalties
The Colorado Attorney General and Colorado District Attorneys are granted exclusive authority to enforce the CPA. Violations of the CPA will constitute a deceptive trade practice carrying penalties of up to $2,000 per violation, but not more than $500,000 per series of violations. In addition to seeking monetary penalties, the Colorado Attorney General and Colorado District Attorneys are able seek injunctive relief to enjoin violations of the CPA. Importantly, the CPA explicitly excludes a private right of action.
Until January 1, 2025, controllers will receive an opportunity to cure violations within 60 days before facing an enforcement action.
The Colorado Attorney General is also authorized to promulgate rules under the CPA. By July 1, 2023, the Attorney General must promulgate rules for universal opt-out mechanisms related to the processing of personal data for targeted advertising or the sale of personal data. By January 1, 2025, the Attorney General may adopt additional rules “govern[ing] the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of [the CPA].” Such rules must become effective by July 1, 2025.
While July 1, 2023 may seem far away, businesses should begin familiarizing themselves with the CPA and address necessary compliance measures at the same time they institute compliance measures for the Virginia Consumer Data Protection Act and the California Privacy Rights Act, which take effect January 1, 2023.
1 Processor is defined as “a person that processes personal data on behalf of a controller.”