The 101 Guide to Colorado's Data Privacy Regulation
Colorado, following in California and Virginia’s footsteps, became one of the first 5 American states to pass a comprehensive data privacy law, the Colorado Privacy Act, in 2021. With the effect date of July 1, 2023 here, here’s a rundown of what is actually in CPA and how to comply.
July 1, 2023 is also of note because California’s CPRA amendments and Connecticut’s CTDPA officially trigger, making it one of the most consequential days in American data privacy history. While the CPA overlaps a good deal with the CTDPA, it does not contain many of the extended rules and rights featured in the CPRA.
Colorado Data Privacy Law at a Glance
The Colorado data privacy law uses a standard framework for its applicability threshold with the Colorado Privacy Act, with businesses that provide goods or services to Colorado consumers needing to comply if:
- the organization handles the personal data of over 100,000 Colorado consumers per calendar year or
- earns revenue from selling the data of at least 25,000 consumers.
The definition of consumer in the CPA is a Colorado resident acting in an individual capacity, which means it does not extend to employees, unlike the CPRA.
Personal information is described as things like names, emails, phone numbers, and addresses, which is in line with most data privacy regulations. The CPA does not include de-identified data or publicly available information.
Colorado Data Privacy Law Exemptions
Colorado’s CPA has several exemptions, mostly around various financial and healthcare related designations.
Most of note in the CPA is the fact that non-profit organizations are subject to the law and are not exempt, a major deviation from other state regulations.
CPA exemptions also revolve around data processing for legal, quality assurance, or security reasons, most of which can be considered under the umbrella of reasons of public interest (hence why government entities are exempt).
Major exemptions:
- Entities covered by HIPAA
- Personal data subject to the Gramm-Leach-Billey Act (GLBA)
- Government or administrative bodies within Colorado
- HIPAA-protected and/or authorized health information
- Children’s Online Privacy Protection Act (COPPA)
- Data covered by the Family Educational Rights and Privacy Act (FERPA)
Colorado Consumer Data Rights
The CPA establishes a similar list of data rights for the public that Virginia’s VCDPA does.
While Colorado does not feature the private right of action like California’s amended CCPA does, it does allow individuals to designate authorized agents to act on their behalf when exercising data rights. This essentially means that people can seek help when trying to get their data deleted (among other things), a big help to people who may not fully know their rights or may not be very technologically-literate.
The CPA was also amended to include the right to revoke consent, giving the law a leg up on others, as only 3 states currently enable this right.
Other CPA Data Rights:
- Right to opt out – consumers have the right to opt out of the processing of their personal data gathered for targeted advertising, sale to a third party, or profiling
- Right of access – consumers have the right to know if a controller is processing their personal data and may access it at any time;
- Right to correction – consumers have the right to correct inaccuracies in their personal data;
- Right to deletion – consumers have the right to have controllers delete their personal data;
- Right to data portability – a consumer has a right to obtain their data in a portable and accessible format to transmit it to other businesses
Colorado Data Privacy Law Requirements
Colorado has several high-level requirements that originate from the GDPR, such as:
- Data protection impact assessments
- Freely given consent from individuals
- Clear and accessible privacy notices that explain what data is being collected, why it’s being processed, who it may be shared with, and how people can exercise their data rights
- Restricted data collection (data minimization)
- Data processing agreements (DPAs) between controllers and processors
Similar to clear and understandable privacy notices, data controllers must disclose any form of targeted advertising and provide an opt-out for such activity.
Controllers also have to obtain additional consent when collecting data outside of the defined scope within the privacy notice or when selling data to third parties (which must be identified).
The CPA defines the age of a child at 13, below the GDPR mark of 16. When processing children’s data, controllers must get consent from a parent or guardian.
The DSR timeline is the same as nearly every other American state-level timeline, set at 45 days to respond and 45 days for a response extension. Sensitive data has stronger protections in place, and must be deleted within 12 hours when prompted by an individual request.
Another similarity to other state-level laws is the lack of a data breach notification rule, but that is covered by a prior law, C.R.S. § 6-1-716.
Colorado Data Privacy Enforcement
Colorado has taken a different approach to the monetary aspect of enforcement, although the CPA will be solely enforced by the Colorado Attorney General and Colorado District Attorneys, standard practice for state-level regulations.
Instead of the typical $7500 fine per violation most states have instituted, non-compliance with the CPA is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation and up to $500,000 for a series of violations.
With the law entering into effect July 1, 2023, there will be a 60-day cure period available until January 1, 2025. After that date, controllers will be able to request opinion letters and interpretative guidance from the Attorney General’s office if issued warning of non-compliance.