The Colorado Privacy Act (SB 190, “CPA”) is the third major state privacy law passed in the United States. The CPA provides Colorado residents with numerous rights while simultaneously placing numerous obligations on businesses. Even if your business is located outside of Colorado, it may still be subject to the CPA’s regulations and steep financial penalties for non-compliance. You can read about whether the CPA applies to your Tennessee business here. If you’re business is subject to the CPA, there are some compliance requirements and obligations which businesses will need to consider before it becomes effective on July 1, 2023.
Businesses’ Obligations to Colorado Residents
The CPA provides Colorado residents with a right to opt out of allowing a business to process their personal data for:
- targeted advertising,
- sale (broadly defined as the exchange of personal data for monetary or other valuable consideration by a controller to a third party), or
- profiling that produces legal or similarly significant effects concerning the resident.
Effective July 1, 2024, Colorado residents must be able to exercise these opt-out rights through a user-selected opt-out mechanism that meets technical specifications that will be established by the Colorado Attorney General on or before July 1, 2023. Compliance with this obligation contrasts with the CCPA’s optional global privacy control creates compliance issues to businesses subject to both.
Unlike the CCPA, which makes a global privacy control optional, controllers must comply with the universal opt-out under the CPA, which will create complexities in compliance processes for entities subject to the various comprehensive state privacy laws.
Colorado residents also have the right to: access, obtain a portable copy, correct, or delete their personal data.
The CPA is similar to the CCPA and CDPA in how consumer’s request is handled. A controller must respond to a consumer request within 45 days (which can be extended another 45 days upon notice and explanation. The first request must be free, but a controller may charge for a second request within the same 12-month period. However, a request can be denied if the resident can’t be authenticated, or in situations where the data has been pseudonymized and the information necessary to de-pseudonymize the data is kept separate with controls that prevent the controller from accessing the information. Of course, a resident is allowed to appeal any such denial.
Sensitive Data Under the Colorado Privacy Act
Data Protection Assessments and Other Controller Duties
Controllers are required to conduct and document a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of the Act when conducting processing that presents a heighted risk of harm to a consumer. Processing that presents a heighted risk of harm to a consumer includes processing sensitive data, processing for purposes of targeted advertising, selling personal data, or profiling if there is a reasonably foreseeable risk of financial or physical injury to consumers, among other activities. The Act’s examples of processing that presents a heightened risk of harm is not exclusive and so controllers will need to initially evaluate all processing activities to determine whether they potentially fall into this category and require a DPA.
DPAs must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to consumers’ rights, as mitigated through safeguards the controller may employ to reduce the risks. Controllers must make the DPA available to the Colorado Attorney General upon request.
In addition to responding to consumer requests and conducting and documenting DPAs, controllers must provide a privacy notice to consumers that includes:
- the categories of personal data collected, processed, and/or shared with third parties;
- the purposes for processing such data;
- the categories of third parties with whom the controller shares personal data;
- how and where consumers may exercise their rights; and
- whether the controller sells personal data or processes personal data for targeted advertising.
Moreover, controllers have a duty to adhere to certain principles when processing personal data, such as purpose specification, data minimization, avoiding processing for secondary purposes that are not compatible with the specified purpose, using reasonable measures to secure personal data, and avoiding unlawful discrimination. What security measures meet controller duties are not specified. The Act provides that data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. Creating and maintaining internal processes for documenting DPAs and demonstrating that processing activities are being conducted in accordance with the requisite principals will be an important aspect of compliance with the Act.
Enforcement of the Colorado Privacy Act
Violations of the CPA are considered a deceptive trade practice. Businesses found in violation are subject to civil fines of up to $20,000 per violation, and up to $500,000 per event leading to the violations.
Unlike the CCPA, the CPA does not provide a private right of action for Colorado residents to sue businesses. Instead, enforcement is strictly through the Colorado Attorney General and district attorney’s office.
Although the fines may be steep, businesses are afforded a safe harbor to avoid these penalties until January 1, 2025. Under the safe harbor provision, businesses have 60-days to cure their non-compliance before an enforcement action may be brought.