How to Navigate the Colorado Privacy Act
Colorado is the third state in the country to pass legislation designed to better protect the data and privacy of consumers online. The Colorado Privacy Act (CPA),passed on July 8th, 2021, is effective July 1st, 2023. Businesses and nonprofit organizations should start preparing now despite the July 1, 2023, effective date of the CPA.
California and Virginia are the only other states in the U.S. with similar comprehensive data privacy laws in place.
What is the Colorado Privacy Act?
The CPA creates personal data privacy rights. It determines how businesses and other organizations, including non-profit organizations, that have access to personal data must handle the privacy rights of consumers they interact with. The CPA requires that covered entities:
Are transparent in how data is collected, stored, and used.
Share the purpose of data collection.
Minimize the amount of data collected.
Avoid secondary use of consumer data.
Not engage in unlawful discrimination.
Are vigilant with sensitive data.
In addition to regulating the ways data is collected and used, entities covered by the CPA must also comply with the rights of consumers in regards to access to their own data. There are 5 primary data rights a consumer has, according to the CPA.
Right of Access: “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
Right to Correction: “the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.”
Right to Delete: “the right to delete personal data concerning the consumer.”
Right to Data Portability: “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
Right to Opt-Out: “the right to opt out of the processing of personal data concerning the consumer for purposes of: targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”
Under these legal rights, the consumer also has grounds to appeal any refusal by a company or organization not willing to comply with their requests.
Data privacy has been a large topic globally for the last few years. In Europe, the General Data Protection Regulation (GDPR) started a trend of more stringent, online regulations for anyone conducting business that involves collecting data on consumers. These restrictions mandate that consumers be given certain data disclosures and rights.
Implementation of the GDPR caused many businesses, and other organizations with access to private data, to completely revamp their cybersecurity protocols and practices. So, how does this relate to the data privacy laws being implemented in the United States recently?
The implementation of the GDPR sparked conversation with state and federal regulators, as well as state and federal lawmakers. After seeing how thorough and effective the GDPR law was, policymakers in the United States began considering similar legislation.
California was the first state to implement a similar law, followed by Virginia, and now Colorado.
Who Does the CPA Impact?
The CPA applies to any entity that “[c]onducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado”.
There are a few stipulations to this, however. Covered entities must also:
Control or process the personal data of at least 100,000 consumers or more during a calendar year; or
Derive revenue from the sale of personal data and control or process the personal data of at least 25,000.
The CPA does not apply to certain groups, such as state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
Importantly, unlike California and Virginia’s laws, the CPA does not exclude non-profits that fit the criteria listed above. Another important thing to note is that the word “sale” refers to monetary consideration and “other valuable consideration”. The latter is up to the state to determine on a case-by-case basis.
Enforcement and Penalty
Another difference between the CPA and similar legislation is the enforcement of these regulations and the penalties those who violate them will face.
Currently if the Attorney General or District Attorney initiates an action, the office must provide a notice to the “controller”, this would be the business or organization covered by the CPA. The covered entity then has 60 days to fix the violation.
Note, this is only true until January 1st, 2025. After that, a grace period to cure the violation is not required.
There is no strict guidance in the statute about fines. However, because a violation of the CPA would be classified as a deceptive trade practice, the penalty falls under the Colorado Consumer Protection Act. This would mean a noncompliant party could be fined up to $20,000 per violation.
How Businesses Can Prepare
Some businesses and nonprofits may already be in compliance with the CPA as a result of their efforts to comply with the requirements of the GDPR or California or Virginia data privacy laws.
However, there are a few ways businesses can prepare for the future of data security requirements.
First, address cybersecurity within your organization. If you do not have a privacy officer, or someone on your team in charge of overseeing data protection, or you do not have the internal staff to serve in that role, you might consider a third-party cybersecurity firm.
Last, make an action plan. If a customer decides to request access to their own data information, have steps in place to fulfill those requests and avoid violations.
When in doubt, seek out legal counsel for the best steps to take. This will help ensure you are protecting your own business, as well as the rights and safety of your customers.