The Matrix
{ Blog Post Bio Photo }

Colorado Passes Comprehensive Consumer Privacy Law

Posted by

On the heels of Virginia’s Consumer Data Protection Act, Colorado recently passed its own comprehensive consumer privacy law. On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”). The CPA takes effect on July 1, 2023.

Applicability & Thresholds

The CPA applies to entities that conduct business in Colorado or that intentionally direct products or services at Colorado residents and meet one of the following requirements: 

  1. Controls or processes the personal data of over 100,000 Colorado residents in a year; or
  2.  Controls or processes the personal data of 25,000 or more Colorado residents and derives revenue from the sale of that data.

Unlike the CCPA or VCDPA, the CPA does not expressly exempt nonprofit organizations. Like both the CPRA and the VDCPA, the CPA excludes employment records and publicly available data from the definition of covered information.

Definitions; Reasonable Security Measures & Data Protection Assessments

Under the CPA, “Personal Data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA defines a Controller as “a person that, alone or jointly with others, determines the purposes for and means of processing Personal Data,” and as a Processor as “a person that processes personal information on behalf of Controller.” “Process” or “Processing” is defined as “the collection, use, sale, storage, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to process Personal Data.” The CPA imposes different duties on Controllers and Processors.

The CPA imposes on Controllers the duties of transparency, purpose specification, data minimization, avoidance of secondary use, avoidance of discrimination, and care. For example, the duty of transparency requires accessible, clear, and meaningful privacy notices. Purpose specification requires informing the data subject of the purpose of Personal Data collection. Minimization provides that a Controller’s collection of Personal Data must be limited to what is reasonably necessary in relation to disclosed purposes. The duty of care requires Controllers to “take reasonable measures to secure Personal Data during both storage and use from unauthorized acquisition” and the “data security practices must be appropriate to the volume, scope, and nature of the Personal Data processed and the nature of the business.”

Drawing on concepts from the GDPR, the CPA requires Controllers to conduct a documented data protection assessment where data processing “presents a heightened risk of harm to a consumer.”

With regard to Processors, the CPA also requires reasonable technical and organizational measures to protect Personal Data. The CPA requires Processors to adhere to the processing instructions of Controllers, implement and comply with data processing agreements, and honor the duties of confidentiality and care when processing Personal Data.

Consumer Data Subject Rights

Consumer data subject rights are a key feature of the CPA. The CPA provides consumers (i) the right to opt out of Personal Data processing for targeting advertising, sales of data, and consumer profiling, (ii) the right to access their Personal Data processed by a Controller, (iii) the right to correct or delete their Personal Data, and (iv) the right to portability of their Personal Data. Like the CCPA, entities have 45 days to comply with a consumer data subject request, subject to an additional 45 day extension upon request.

Processing Sensitive Data

Importantly, Sensitive Data cannot be processed without first obtaining consumer (or parental/guardian) consent.  Sensitive data is defined under the CPA as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric information, or personal data from a known child. 

The CPA treats the processing of Sensitive Data as “processing that presents a heightened risk to consumers,” and thus requires a documented data protection assessment of each processing activity involving Sensitive Data.

Enforcement, Penalties & Cure Period 

The CPA—like the VDCPA—is exclusively enforceable by the Colorado’s Attorney General and state district attorneys, which are empowered by the CPA to issue penalties and prevent future violations. In addition to injunctive relief, civil penalties of up to $2,000.00 per violation may be assessed, up to a maximum penalty of $500,000.00. Prior to any enforcement action, the CPA provides violating entities a cure period of 60 days. Notably, this cure period is repealed effective January 1, 2025. 

Looking Forward 

The passing and enactment of the CPA is illustrative of the prevailing trend in privacy legislation to both confer consumer data privacy rights and also impose reasonable data security requirements. Entities that conduct business in Colorado or handle personal information of Colorado residents should ensure their overall data security and privacy infrastructure positions them to comply with the CPA.

Jump to Page