Colorado has joined California and Virginia in enacting comprehensive data privacy legislation after Governor Jared Polis signed the Colorado Privacy Act into effect yesterday. The enactment of the Colorado Privacy Act continues the trend of state legislatures guiding the development of the general consumer data privacy framework in the U.S. The legislation is set to take effect on July 1, 2023. The Colorado Privacy Act extends consumer data protections and business compliance obligations in a manner similar to the California Consumer Privacy Act ("California Privacy Law (CCPA)"), the upcoming California Privacy Rights Act ("California Privacy Rights Act (CPRA)"), and legislation enacted in Virginia earlier this year, the Consumer Data Protection Act ("Virginia Privacy Law"). A brief summary of the general requirements and obligations on businesses and key distinctions with other state data privacy laws follows.
Who does the Colorado Privacy Act apply to?
The Colorado Privacy Act applies to Colorado residents – which it refers to as "consumers" – and imposes data protection requirements on entities who either:
- conduct business in Colorado; or
- produce or deliver commercial products or services that are intentionally targeted to residents of Colorado;
- control or processes personal data of at least 100,000 consumers (Colorado Residents) a year; or
- control or process personal data of at least 25,000 consumers and derive revenue or receives a discount on the price of goods or services, from the sale of personal data.1
What does the Colorado Privacy Act apply to?
The Colorado Privacy Act applies to "Personal Data," which is defined as "information that is linked or reasonably linkable to an identified or identifiable individual."2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia Privacy Law, the Colorado Privacy Act's definition of consumer does not include individuals acting in commercial or employment contexts.3
The Colorado Privacy Act identifies and imposes obligations on "controllers" and "processors."
A controller is defined as a person that "determines the purposes for and means of processing personal data."4 Under the Colorado Privacy Act, controllers are required to:
- provide consumers with a "reasonably accessible, clear, and meaningful privacy notice," that outlines i) categories of personal data collected or processed by the controller or processors; ii) the purposes for processing; iii) how consumers can exercise the rights granted by the Colorado Privacy Act; iv) categories of personal data shared with third parties; v) categories of third parties with whom personal data is shared;5
- disclose in a conspicuous manner any sale of consumer data and the manner in which a consumer may opt-out of the sale or processing of personal data;6
- limit collection of personal data to what is adequate, relevant, and "reasonably necessary in relation to the specified purposes for which the data are processed;"7
- take reasonable measures to secure personal data compatible with the scope, volume, and nature of the data;8 and
A processor is a person that processes personal data on behalf of the controller.11 The Colorado Privacy Act requires processors to adhere to the controller's instructions and assist and cooperate with the controller to comply with its obligations under the act. The Colorado Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.12
Who does the Colorado Privacy Act Protect?
The Colorado Privacy Act protects Colorado residents and grants them certain rights concerning their personal data. Specifically, the Colorado Privacy Act permits consumers to submit authenticated requests to data controllers to: (i) opt out of the processing of personal data for targeted advertising, sale or profiling; (ii) confirm if a controller is processing their personal data and to access that data; (iii) correct inaccuracies in a consumer’s personal data; (iv) delete personal data concerning the consumer; and (v) if technically feasible, to obtain a copy of their data in a portable manner.13 Similar to the California Privacy Law (CCPA) and the Virginia Privacy Law, data controllers must respond to an authenticated request within 45 days.14 Similar to the Virginia Privacy Law, but unlike the California Privacy Law (CCPA), the Colorado Privacy Act requires data controllers to establish a process by which consumers may appeal a denial of their request.15
Key aspects of the Colorado Privacy Act
As under the Virginia Privacy Law, the Colorado Privacy Act provides an expansive right to opt out of the processing of personal data. The Colorado Privacy Act allows consumers to opt out of processing their personal data for (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling.16 The Colorado Privacy Act broadly defines sale as "the exchange of personal data for monetary or other valuable consideration by a controller to a third party,"17 which is similarly broadly defined under the California Privacy Law (CCPA). Notably, beginning July 1, 2024, the Colorado Privacy Act will require that data controllers allow consumers to exercise their right to optout through a "user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General."18 The Colorado Privacy Act requires that the Attorney General adopt the relevant rules for this requirement by July 1, 2023.19
- Similar to the California Privacy Rights Act (CPRA) and the Virginia Privacy Law, the Colorado Privacy Act requires data controllers to conduct and document data protection assessments of each of its processing activities involving personal data. Under the Colorado Privacy Act, data protection assessments focus on processing that presents a heightened risk of harm to the consumer such as processing for targeted advertising or profiling, the sale of personal data, or processing of sensitive data. Similar to the Virginia Privacy Law, the Colorado Privacy Act outlines that the purpose of data protection assessments is to weigh the potential risks of personal data processing against the direct or indirect benefits of processing to the controller, consumer, and the public. Upon request by the Attorney General, data controllers must produce their data protection assessments.20
- Consistent with the California Privacy Rights Act (CPRA) and Virginia Privacy Law, the Colorado Privacy Act requires businesses (controllers) to enter into written contracts with processors that regulate how processors process data. Under the Colorado Privacy Act, the contract must identify the purpose of processing, the type of personal data to be processed, the duration of processing, restrictions on engaging subcontractors, a duty of data confidentiality for processors and an obligation to delete or return all personal data to the controller at termination.21
- Although the Colorado Privacy Act does not provide a private right of action, it does provide for broad enforcement authority to include both the Attorney General and District Attorneys. The Colorado Privacy Act provides a 60-day cure period for alleged violations, in effect until January 1, 2025.22 The Colorado Privacy Act also provides for a higher possible penalty for violations of up to $20,000, as compared to the $7,500 maximum penalty in Virginia and California.
- Importantly, unlike other state data privacy legislation, the Colorado Privacy Act does not exempt non-profit organizations. The Colorado Privacy Act does exempt information or data maintained by the state and other governmental entities, state institutions of higher education,23 financial institutions subject to the Gramm Leach Bliley Act (GLBA),24 data regulated by the Family Educational Rights and Privacy Act (FERPA),25 data regulated by the Fair Credit Reporting Act (FCRA),26 information created for the purposes of complying with the Health Insurance Portability and Accountability Act (HIPAA)27 and personal data regulated by the Children’s Online Privacy Protection Act (COPPA), if in compliance with that law.28
- Finally, unlike the Virginia Privacy Law but similar to the California Privacy Rights Act, the Colorado Privacy Act grants the Attorney General rulemaking powers. The legislation focuses on the Attorney General's rulemaking in the context of a universal opt-out mechanism but states that the Attorney General may promulgate rules for the purpose of carrying out the law.29
Colorado Privacy Act Compliance Checklist
The similarities between the Colorado, California and Virginia privacy laws will permit companies to develop a general uniform approach to data privacy compliance obligations in the U.S. Similar to these other state data privacy laws, entities operating in Colorado should consider the following framework in assessing compliance obligations under the Colorado Privacy Act:
- Confirm That Your Business is Subject to the Colorado Privacy Act. Entities must determine whether they meet the jurisdictional threshold of the Colorado Privacy Act, which notably does not include a minimum revenue threshold.
- Determine Whether Your Business Depends on the Sale or Purchase of Personal Information. Businesses will need to assess whether and to what extent their disclosures of personal information to third parties falls within the Colorado Privacy Act's broad definition of "sale" of data, which, similar to the California Privacy Law, includes disclosure for "valuable consideration." Businesses should note that, under the Colorado Privacy Act (CCPA), disclosures to processors or affiliates for the purpose of providing a product or service requested by a consumer or made intentionally by the consumer are not considered sales.30
- Revise Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers and identify the mechanisms implemented for consumers to exercise those rights.
- Implement "Reasonable Security Measures." Assess cybersecurity policies, practices, and controls to ensure they are consistent with industry-recognized standards.
- Conduct Data Protection Assessment. Businesses will need to conduct data protection assessments that evaluate how the business processes, sells and uses personal data. Importantly, they should consider the risk involved in such processing.
- Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Prior to July 1, 2024 when the requirement comes into effect, businesses should begin to implement use of a user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General (to be established by July 1, 2023).
- Facilitate Receipt and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer requests to exercise their access, correction, and deletion rights under the Colorado Privacy Act.
- Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the Colorado Privacy Act.
Although the Colorado Privacy Act fits within the general compliance approach applicable to the California and Virginia privacy laws, there will inevitably be certain compliance aspects among these state laws that will require consideration on an individual state basis. Additional guidance on the practical implementation of the Colorado Privacy Act is expected in the coming months. This is consistent with the approach taken by other states following the initial enactment of their respective data privacy laws, to further refine these laws. Nonetheless, businesses will likely be expected to take steps to comply with the existing statutory requirements in California and Virginia by January 1, 2023 and Colorado on July 1, 2023, while remaining nimble enough to adjust as additional guidance and regulations are issued. It is worth noting that several other states are in the process of considering and enacting data privacy laws, which may create additional layers of compliance obligations on entities conducting business in the U.S. As such, businesses should keep apprised of the developments in the evolving area of U.S. consumer data privacy compliance. White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws emerge.
1 Bill 6-1-1304()
2 Bill 6-1-1303(17)
3 Bill 6-1-1303(6)(b)
4 Bill 6-1-1303(7)
5 Bill 6-1-1308(1)(a)(I)-(V)
6 Bill 6-1-1308(1)(b)
7 Bill 6-1-1308(3)
8 Bill 6-1-1308(5)
9 Bill 6-1-1308(7); Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data; personal data collected from a known child. Bill 6-1-1303(24).
10 Bill 6-1-1303(5) – definition of Consent
11 Bill 6-1-1303(19)
12 Bill 6-1-1305(2); Bill 6-1-1305(5)
13 Bill 6-1-1306(1)
14 Bill 6-1-1306(2)(a)
15 https://www.jdsupra.com/legalnews/slippery-slopes-colorado-joins-the-fray-4183121/ (see comparison chart)
16 Bill 6-1-1306(1)(a)
17 Bill 6-1-1303(23).
18 Bill 6-1-1306(1)(a)(IV)
19 Bill 6-1-1313(2)
20 Bill 6-1-1309
23 Bill 6-1-1304(2)(o)
24 Bill 6-1-1304(2)(q)
25 Bill 6-1-1304(2)(j)(V)
26 Bill 6-1-1304(2)(i)(C)(II)
27 Bill 6-1-1304(2)(e)
28 Bill 6-1-1304(2)(j)(IV)
29 Bill 6-1-1313
30 Bill 6-1-1303(23)(b)
Shira Shamir (Law Clerk, New York) assisted in the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP