The Colorado Privacy Act – Privacy Protection

Posted on By admin No Comments on The Colorado Privacy Act – Privacy Protection

08 July 2022

Keating, Meuthing & Klekamp PLL


To print this article, all you need is to be registered or login on Mondaq.com.

The Colorado Privacy Act (the “CPA”) was signed into law on July 8, 2021 by Governor Jared Polis, only 6 months after Virginia enacted its data privacy law, the Virginia Consumer Data Privacy Act (“VCDPA”). You can learn more about the VCDPA in our previous blog post. The CPA not only creates new rights to consumers and obligations to businesses, but also authorizes the Colorado Attorney General to promulgate additional rules and regulations to govern opinion letters and interpretive guidance to develop an operational framework for CPA compliance.

Effective July 1, 2023, businesses that control or process data must comply with the CPA if they: (a) conduct business in Colorado or (b) produce products or services that are targeted to residents of Colorado and

  1. Controls or processes personal data of at least 100,000 consumers, or


  2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.

The CPA grants six rights to consumers — the same rights granted under the VCDPA:

  1. Right to confirm whether a controller is processing a consumer’s personal data


  2. Right to access the personal data processed by a controller


  3. Right to correct inaccuracies in the consumer’s personal data


  4. Right to delete personal data provided by or obtained by a controller


  5. Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and


  6. Right to opt out of processing personal data for:

    1. Targeted advertising


    2. Sale of personal data; and


    3. Profiling

A consumer may exercise the first rights above through a consumer request process that is identical to the VDPA, including the ability to appeal a consumer request denial.

Like the VCDPA, the CPA grants consumers the right to opt-out of processing for targeted advertising, the sale of personal data, and profiling. Unlike the VCDPA, the CPA requires businesses to establish a process to allow a person or technological mechanism (such as a browser setting, extension, or global device setting) acting on behalf of a consumer to exercise the right to opt out. Additionally, the Colorado Attorney General will promulgate rules to detail technical specifications for a universal opt-out mechanism that must be adopted by businesses prior to July 1, 2024.

Also similar to the VCDPA, the CPA requires businesses to obtain consumer consent prior to collecting and / or processing “sensitive data.” Sensitive data, a subset of personal data, includes multiple categories of information, such as children’s data, genetic or biometric data, precise geolocation. Sensitive data also includes data of a more intimate nature, such as racial or ethnic origin, sexual orientation, health condition or diagnosis, and immigration or citizenship status. The CPA specifies that consent is not granted by consumers through acceptance of a broad terms of use document or hovering over or closing out of a given piece of content. In this regard, the CPA requires affirmative consent from consumers to collect sensitive data.

The CPA establishes seven additional duties to controllers of personal data, many of which are similar to the seven underlying principles of Europe’s General Data Privacy Regulation (“GDPR”):

  • Duty of transparency (a reasonably accessible, clear, meaningful privacy policy)


  • Duty of purpose specification (express purpose for collecting data)


  • Duty of data minimization (collection must be adequate, relevant, and reasonably limited)


  • Duty to avoid secondary use (purposes of collection must be reasonably necessary to accomplish the specified purpose)


  • Duty of care (take reasonable measures to secure personal data)


  • Duty to avoid unlawful discrimination


  • Duty regarding sensitive data

As with the VCDPA, the CPA also requires a data protection assessment in certain circumstances and a binding contract between a controller and processor to govern any data processing.

The CPA does not have a private right of action. After a business receives notice of a potential violation, the business has a 60-day cure period to resolve such violations. If the business continues to violate the CPA following the cure period, the Attorney General may initiate an action against the business to seek an injunction and / or civil penalties.

Notably, the notice and opportunity to cure the provision of the CPA will be repeated on January 1, 2025. As such, any business must ensure their practices align with the requirements under the CPA as soon as possible. While many guiding regulations from the Colorado Attorney General are still to come, it is vital that businesses begin to prepare to comply with state data privacy laws to avoid the costs of investigation, possible injunction, and / or civil penalties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

12 Steps To Take Before And During A Data Breach

Godfrey & Kahn SC

Your organization, like many others, probably recognizes the severe risk that a data breach poses. No one wants their employees ‘or benefit plan participants’ personal information to be stolen.

State Of US Data Privacy Law Compliance

Womble Bond Dickinson

In May 2017, the world of data privacy was irreparably changed when four members of the Chinese military hacked into credit-reporting company Equifax, exposing the personal information of nearly 150 million Americans.

.

Law Tags:, , , , , ,

Leave a Reply

Your email address will not be published.