With the recent enactment of the Colorado Privacy Act on July 8, 2021, Colorado joins California and Virginia as states that now have broad consumer privacy laws. Although the Colorado law has many of the same features found in the California law, it more closely resembles the Virginia law, with a few twists of its own. The Colorado Privacy Act takes effect on July 1, 2023.
Scope and Application
The new law applies to any data controller who conducts business in Colorado or delivers commercial products or services that are intentionally targeted to residents of Colorado and meets one or both of the following requirements:
- Controls or processes the personal data of at least 100,000 Colorado residents during a calendar year.
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado residents.
While this is similar to the Virginia law, there is no requirement that revenues related to the sale of personal data must constitute more than 50% of revenue. And unlike the California law, there is no threshold tied to overall revenue; the focus is solely on the number of Colorado residents in the data controller’s possession or control. Additionally, unlike both the Virginia and California laws, the Colorado law does apply to nonprofits if they control or process a certain amount of personal data.
Like the Virginia law, the Colorado law protects data about a “consumer,” defined as an individual who is a state resident, but acting only in an individual or household context. Thus, unlike the California law, the Colorado law will not apply to individual data in a commercial or employment context, nor to job applicant data or to data about a beneficiary of someone acting in an employment context (for example, family members participating in an employee benefit plan).
The law gives consumers numerous rights, similar to those found under California’s and Virginia’s laws:
- Right of Access: to confirm whether a controller is processing personal data concerning the consumer and to access that very same data.
- Right to Correction: to correct inaccuracies in the consumer’s personal data.
- Right to Delete: to delete the consumer’s personal data.
- Right to Opt Out: to opt out of the sale of data, targeted advertising, or profiling that results in decisions with legal or similarly significant effects concerning the consumer.
- Right to Data Portability: to obtain the consumer’s personal data in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the data to another entity without hindrance.
Similar to the California and Virginia laws, a business subject to the Colorado Privacy Act must respond to an individual’s request to exercise one or more of these rights within 45 days (which may be extended for up to an additional 45 days, provided notice is given to the consumer before the original 45-day deadline); and if the data controller denies or fails to respond to the request, the business must provide the consumer with an easy-to-use appeal process.
Duties of Controllers
The new law also imposes a number of duties on data controllers:
- Duty of Purpose Specification: specify the express purposes for which the business collects and processes personal data.
- Duty of Data Minimization: collection must be adequate, relevant and limited to what is reasonably necessary in relation to the specific purposes for which the personal data is collected and processed.
- Duty to Avoid Secondary Uses: unless the consumer has otherwise consented, do not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data was originally collected and processed.
- Duty of Transparency: provide consumers with clear and accessible privacy notices that include:
- the categories of personal data collected or processed.
- the purposes of processing the personal data.
- how and where consumers may exercise their rights.
- the categories of personal data that the controller shares with third parties.
- the categories of third parties with whom information is shared.
- Duty of Care: take reasonable measures during storage and use to secure personal data from unauthorized acquisition.
- Duty to Avoid Unlawful Discrimination: avoid processing personal data in a way that results in unlawful discrimination against consumers in violation of state or federal laws.
- Duty Regarding Sensitive Data: do not process (i) a consumer’s sensitive data without the consumer’s consent, or (ii) the personal data of a known child without permission from the child’s parent or legal guardian.
Like the Virginia law, the Colorado Privacy Act requires a data protection assessment whenever the controller engages in processing that presents a heightened risk of harm to a consumer—such as from targeted advertising, certain profiling activities, selling of personal data and processing sensitive data. These data protection assessments must be made available to the Colorado Attorney General upon request, but are otherwise confidential.
Whenever a data controller uses a third party to collect, use or otherwise process personal data, the data controller must have a binding contract with the processor that limits the processor’s ability to use the data. Among other things, the contract must require the processor to follow the data controller’s instructions, require technical and organizational measures to ensure an appropriate level of security, provide for audits by the controller or a third party of the processor’s policies and technical and organizational measures, and require return or destruction of personal data once the processor’s services have ended. If the processor uses a subcontractor, the controller must have the opportunity to object to the subcontractor and the subcontractor must agree to the same obligations that apply to the processor. The contract, however, may not relieve either the controller or the processor of their respective liabilities imposed under the Colorado Privacy Act.
Unlike the California law, the Colorado Privacy Act does not grant consumers any individual rights to enforce any of its provisions. Like the Virginia law, the Colorado Privacy Act authorizes enforcement by the Colorado Attorney General, but then also allows enforcement by any Colorado District Attorney. Violations of the Colorado Privacy Act are treated as a violation of the Colorado Consumer Protection Act and may result in a fine of up to $20,000 per violation. If a cure seems possible, the Attorney General or District Attorney must give the data controller 60 days to cure the violation, but this cure provision is temporary and is automatically repealed effective January 1, 2025.
If you need assistance with the Colorado Privacy Act, or any other privacy issue, Warner can help! Please contact any member of Warner’s Cybersecurity and Privacy Practice Group.