Colorado Becomes the Third State to Pass Consumer Data Privacy Bill

Colorado’s legislature has overwhelmingly passed the Colorado Privacy Act (“CPA”), making it the third state, after California and Virginia, to pass a comprehensive consumer data privacy bill. If the Colorado Governor signs the CPA, it will become effective on July 1, 2023.

Applicability. CPA will apply to any organization conducting business in Colorado or targeting its products or services to Colorado residents that either: (1) process or control the personal data of more than 100,000 consumers annually; or (2) derive revenue from the sale of personal data in addition to processing or controlling the personal data of 25,000 consumers or more.

Exemptions. CPA exempts several entities and types of personal information governed under federal law, including protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the GLBA, information regulated by the FCRA, COPPA, and FERPA, and information regulated by the Driver’s Privacy Protection Act of 1994.

Consumer rights. CPA provides consumers with rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receipt of the request. CPA requires controllers to allow consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must inform the consumer of its rejection reasons, and notify the consumer of the ability to contact the Attorney General with concerns about the appeal result.

Controller duties. CPA establishes duties for controllers, including the duties of transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data. Controllers must provide a privacy notice to consumers that includes: (1) the categories of personal data collected, processed, and/or shared with third parties; (2) the purposes for processing such data; (3) the categories of third parties with whom the controller shares personal data; (4) how and where consumers may exercise their rights; and (5) whether the controller sells personal data or processes personal data for targeted advertising.

Data protection assessments. CPA requires data protection assessments (“DPAs”) for certain processing activities, such as targeted advertising, sales, certain profiling, and processing of sensitive personal data.

Universal opt-out requests. CPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out by July 1, 2023, which controllers must honor starting July 1, 2024. This is not optional.

Opt-in Consent for certain processing. CPA requires opt-in consent for the processing of sensitive personal information, which covers racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data. CPA also requires consent for processing the data of children under the age of 13.

Right to cure. CPA allows controllers a long 60-day period in which to cure violations. This cure period will be phased out after January 1, 2025, at which time the Colorado Attorney General will be able to act without such notice.

Enforcement. There is no private right of action, but the Colorado Attorney General’s office and state district attorneys will enforce CPA and may fine violators up to $500,000.

Comments are closed.