Colorado's New Privacy Law

August 30, 2021

Colorado recently passed a comprehensive data privacy law that becomes effective July 1, 2023. The Colorado Privacy Act (“CPA”) applies to a company that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and that meets one or both of the following thresholds: (i) controls or processes personal data of 100,000 or more consumers during a calendar year; or (ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.

Whether the CPA applies to a company is based on the volume of personal data processed, not on sales volume. The law will not apply to protected health information covered by the HIPAA Privacy Rule and other information covered by certain federal laws.

Some of the CPA’s terminology is taken from the European Union’s General Data Protection Regulation (“GDPR”) and, therefore, may be unfamiliar. For example, the CPA refers to “controller” instead of “business.” The statute defines “controller” as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data.” Instead of “service provider,” the CPA uses “processor,” which is defined as “a person who processes personal data on behalf of a controller.”

The CPA gives consumers the right to opt out of the processing of their personal data for: (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Controllers must provide a “clear and conspicuous” method of exercising the right to opt-out of the sale of personal data or targeted advertising, which must be in the controller’s privacy notice as well as in a readily accessible location outside the privacy notice. Controllers may also allow users to opt-out through a universal opt-out mechanism that meets technical requirements to be established by Colorado’s Attorney General.

The CPA also gives consumers the right to:

Confirm whether a controller is processing their personal data and the right to access that data;

Correct inaccuracies in their personal data;

Delete their personal data;

Obtain their personal data in a portable, usable format that allows them to transmit the data to another entity “without hindrance.”

Under the CPA, controllers have 45 days to fulfill consumer requests (which may be extended another 45 days where reasonably necessary).

The CPA requires controllers to provide a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data collected or processed; (ii) the purposes for processing of personal data; (iii) how and where consumers may exercise their rights and how to appeal a controller’s action in response to a request; (iv) categories of personal data shared with third parties; and (v) the categories of third parties with whom the controller shares personal data.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

Controllers will be required to conduct a data protection assessment when processing personal data that presents a heightened risk of harm to a consumer. Furthermore, controllers are required to make the assessments available to the Attorney General upon request.

The CPA does not create a private right of action. Only Colorado’s Attorney General and district attorneys have authority to bring enforcement actions. A violation of the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act.

This article only summarizes some of the main aspects of the CPA. Colorado employers covered by the new law will want to familiarize themselves with the requirements before the law goes into effect.