On June 8, 2021, the Colorado legislature passed the Colorado Privacy Act (SB 190, “CPA”). The CPA is the latest major state privacy law passed in the United States, following close on the heals of the headline grabbing California Consumer Privacy Act (“CCPA”) and the Virginia Consumer Data Protection Act (“CDPA”). Although it shares many similarities with the CCPA and CDPA, it is broader in some areas and narrower in others. The CPA protects “personal data,” which is broadly defined as information that is linked or reasonably linkable to an identified or identifiable individual. In other words, the CPA will likely apply to Tennessee companies that interact with Colorado residents or process personal data of Colorado residents on a relatively large scale, including non-profit organizations.
When Does The Colorado Privacy Act Apply To A Tennessee Business?
The Colorado Privacy Act can apply to a Tennessee business if it:
- conducts business in Colorado or;
- produces or delivers commercial products or services that are intentionally targeted to Colorado residents and either:
- Controls or processes the personal data of 100,000 or more Colorado residents acting in an individual or household context during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Unlike the CCPA, there is no minimum revenue qualification. Therefore, a smaller businesses receives the benefit of not falling under the CPA simply because of their size. However, while these qualifications may seem simple, there are still some technicalities which must be analyzed.
What Qualifies as a Sale of Personal Information Under the CPA?
Similar to the CCPA, the “sale of personal information” is “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Thus, the exchange of data for things other than simply money can still trigger the statute. (This is in contrast to the CDPA, which only considers it a sale when monetary consideration is paid.) That said, certain types of disclosures are excluded from the definition of a “sale”.
When is a Colorado Resident Not in Their Individual or Household Capacity?
Notably, the law only applies to data of Colorado residents in their individual or household capacity. The CPA explicitly excludes data of Colorado residents acting in “a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”
What Does It Mean to Conduct Business in Colorado?
The CPA does not lay out what it means to “conduct business” in Colorado, a similarity it shares with the CCPA and Virginia’s CDPA. If the Colorado Attorney General does not provide guidance prior to the CPA’s July 1, 2023 effective date, then businesses can only make a best guess until some enforcement actions clear the water. The wisest course is to consider whether the business has employees or a physical presence in the state, or otherwise conducts significant economic activity that would trigger any tax obligations.
The CPA also provides for both entity-level exemptions and data-level exemptions. Entity-level exemptions are broad and permit certain controllers to disregard obligations under the CPA that would otherwise apply, even if the data would otherwise qualify. For example, entities regulated by the Gramm-Leach-Bliley Act (“GLBA”). Data-level exemptions are narrower, such as deidentified information and information already regulated by other laws.
Determining if an exemption (or the CCPA itself) applies can be a fact intensive inquiry depending on where your business operates, the data your business handles, the extent it handles the data, and the industry your business operates in.
If your business does fall under the Colorado Privacy Act, then it must comply with numerous obligations or face potential penalties.