On July 7, 2021, Governor Jared Polis signed into law the Colorado Privacy Act (ColoPA), the third comprehensive privacy law to be enacted in the United States (following California and Virginia). When it takes effect in July 2023, its substantial privacy requirements will impact the operations of many businesses in Colorado.
ColoPA generally applies to “controllers”—businesses that determine the purposes and means of processing personal data—who conduct business in Colorado and either (i) process personal data of more than 100,000 consumers per year or (ii) earn revenue from the personal data of over 25,000 consumers per year. ColoPA also imposes a limited number of obligations on “processors,” who store and process data on behalf of a controller. The following are highlights of ColPA that businesses should carefully consider as the law’s effective date approaches.
Personal and sensitive data. ColoPA defines personal data to cover any information “linked or reasonably linkable to an” individual, and exempts de-identified data and publicly available information from this category. Controllers may not process “sensitive data”—such as data relating to racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, or genetics—without obtaining a consumer’s affirmative consent. Businesses should consider inventorying the types and sources of data that they obtain from consumers to ensure they are applying ColoPA to applicable personal data. They should also consider reviewing their processes to ensure adequate notice and consent from customers—particularly for sensitive data.
Exercising consumer rights. ColoPA does not prescribe the method by which controllers must allow consumers to exercise their rights, but specifies that they must “take into account the ways in which consumers normally interact with [them].” ColoPA requires controllers to provide consumers with a privacy notice that details the categories and purposes of personal data collected and shared with third parties. In addition, any controller that processes personal data for targeted advertising or sale must provide an opt-out mechanism both in its privacy policy and in another clear, conspicuous, readily accessible location. Controllers must generally respond to consumer requests within 45 days and must create an appeal process for consumers whose requests they are not able to fulfill. Businesses should consider reviewing their privacy policies and procedures to ensure that they meet the disclosure and consumer rights requirements prescribed by ColoPA.
Enforcement authority. ColoPA provides consumers with various data subject rights, including: to access or delete personal data; correct inaccuracies in personal data; obtain personal data in a portable format; and opt out of the processing of their personal data for targeted advertising, sale, or profiling for certain activities. Although ColoPA does not create a private right of action, it grants enforcement authority to both the Colorado attorney general and district attorneys, who may bring actions with civil penalties up to $20,000 per violation. Penalties may be assessed on a per-transaction and per-consumer basis and there is no cap on damages.
Mandatory opt-out. ColoPA requires the attorney general to promulgate rules for a “universal opt-out” mechanism from targeted advertising and sale of personal data by July 1, 2023. After July 1, 2024, controllers must accommodate this mechanism. Given the uncertainty about how the attorney general will implement this provision, business should consider monitoring this topic for further updates.
Processors and subcontractors. ColoPA requires that processors and controllers enter into a contract that describes instructions for processing personal data, the type of personal data being processed, and other provisions for carrying out the obligations of ColoPA. In addition, processors must ensure that any of their subcontractors are contractually obligated to fulfill their duties under ColoPA. Controllers should consider identifying the processors that they engage with and drafting and negotiating data contracts with them. Businesses should also note that the distinction between processor and controller is a context-dependent inquiry: if a processor begins to act as a controller, it may assume additional obligations under ColoPA.
Data protection assessments. ColoPA requires controllers to conduct “data protection assessments” before using data for “processing that presents a heightened risk of harm to a consumer.” Activities requiring a data protection assessment include processing of personal data for targeted advertising or profiling, sale of personal data, and processing of sensitive data. While these assessments are not publicly accessible, they are reviewable by the attorney general. Although the data protection assessment requirement does not apply retroactively, companies that expect to engage in new processing of consumer’s personal data after July 2023 should ensure they maintain a process to conduct assessments.
Businesses operating in Colorado should consider assessing the applicability of ColPA to their operations and the measures needed to ensure compliance. Colorado businesses should also keep a close watch on the continued evolution of U.S. data privacy legislation, as each new law that is passed can have a significant impact on their compliance programs.
Partner