Open in app

Sign in

Write

Sign in

What is the Colorado Privacy Act (CPA)?

Golden Data Law
Golden Data
Published in
29 min readAug 10, 2021
Birdie Draper Collection Image — SDASM Archives

The Colorado Privacy Act (aka “ Protect Personal Data Privacy Act) (CPA) was enacted in 2021 through SB21–190 to protect the fundamental right to privacy of Colorado residents and to “require companies to be responsible custodians of data as they continue to innovate.” (See Legislative Declaration for SB21–190.)

The CPA:

  • Provides Colorado residents with the right to access, correct, and delete personal data and the right to opt-out not only of the sale of personal data but also fo the collection and use of personal data in certain scenarios;
  • Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal dat are used; and to strengthen compliance and accountability by requiring protection assessments in the collection and use of personal data; and
  • Empowers the Colorado Attorney General and District Attorneys to access and evaluate a company’s data proteciton assessments, to impose penalties where violations occur, and to prevent future violations.

The CPA:

  • Specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
  • Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data; and
  • Specifies that a violation of its requirements is a deceptive trade practice for purposes of enforcement, but the act may be enforced only by the attorney general or district attorneys.

Local governments are preempted from adopting laws that govern the processing of personal data by controllers or processors. (Colorado C.R.S. 6–1–1312)

The attorney general may promulgate rules to administer the act and is required to adopt rules detailing technical specifications for a universal opt-out mechanism that controllers must use. (Colorado C.R.S. 6–1–1313)

Practice Tip: Colorado’s Constitution explicitly provides the right to privacy under Section 7 of Artlice II which states “The people shall be secure in their persons, papers, homes and effects, from unreasonable searches and seizures; and no warrant to search any place or seize any person or things shall issue without describing the place to be searched, or the person or thing to be seized, as near as may be, nor without probable cause, supported by oath or affirmation reduced to writing.”

1. Who is regulated by DPA?

1.1. Territorial Scope of DPA

The CPA applies to “controllers” that conduct business or produce commercial products or services that are intentionally targeted to “consumers” and that either:

  • Control or process “personal data” of at least 100,000 “consumers” per calendar year; or
  • Derive revenue from the “sale” of “personal data” and control or process the personal data of at least 25,000 “consumers.”

(Colorado C.R.S. 6–1–1304 (1))

Please note that:

  • For the definition of controller see the “controller v. processor” section below.
  • For the definition of consumer and personal data see the material scope section below.
  • Sale under CPA means “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” (See, Colorado C.R.S. 6–1–1303 (23)(a).) However, the disclosure of personal data (i) to a processor that processes on behalf of the controller; or (ii) to a third party for the purpose of providing a product or service requested by the consumer are not deemed a sale under the CPA. In addition, it is not a sale under the CPR the disclosure or transfer (i) to an affiliate of the controller; or (ii) to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes “control” or all or part of the controller’s assets. (See, Colorado C.R.S. 6–1–1303 (23)(b).) Affiliate means a “legal entity that controls, is controlled by, or is under common control with another legal entity”. Control means (i) ownership of, control of, or power to vote twenty five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more persons; (ii) control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or (iii) the power to exercise, directly or indirecty, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulators, as that term is defined in 12 U.S.C. SEC. 5481 (24.) (See, Colorado C.R.S. 6–1–1303 (1).)

Note: Although the section on material scope of CPA summarized above reads as if it only applied to controllers, other sections of the act specifically impose obligations on processors (e.g. Colorado C.R.S. 6–1–1305)

1.2. Material Scope of the DPA

The CPA regulates the “processing” of “personal data” of “consumers” by “controllers” and “processors.”

  • “Processing” (or “process”) under CPA means the “collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.” (See, Colorado C.R.S. 6–1–1303 (18))
  • “Personal data” under CPA means “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA expressly excludes from its scope of applicability (1) “publicly available information” defined as information that is lawfully made available from federal, state, or local government records and (2) “information that a controller has reasonable baisis to believe the consumer has lawfully made available to the general public.” (See, Colorado C.R.S. 6–1–1303 (17))
  • Consumer under CPA means “an individual who is a Colorado resident acting only in an individual or household contest.” CPA excludes individuals acting in a commercial or employment context and beneficiaries of those acting in an employment context from its scope. (See, Colorado C.R.S. 6–1–1303 (6))
  • For the definition of controller and processor see the Controller v. Processor section below.

Practice Tips:

(1) CPA applies to controllers/processors that process the personal data of one hundred thousand Colorado residents or more during a calendar year whether that data is being sold/shared for cross-context advertising or not. The CCPA/CPRA correlated threshold is only triggered where the data is being sold/shared.

(2) As opposed to the California CCPA or CPRA, Colorado’s CPA does not apply to data (1) data collected in the context of business interactions or (2) data of employees, applicants and their beneficiaries.

(3) The definition of “personal data” under CPA is different from the definition under EU data proteciton law (for more on the EU defnition see here.) In addition, the CPA excludes both publicly available information and information lawfully made available by the individual when neither of those categories have ever been excluded from the scope of EU data protection law.

(4) The definition of “personal data” under CPA differs from the definition under California’s CCPA/CPRA. For more about the definition under California law see here.

1.3. Controllers v. Processors v. Third Parties

Controller under CPA means “ a person that, alone or jointly with others, determines the purposes for and means of processing personal data.” (See, Colorado C.R.S. 6–1–1303 (7).) Processor under CPA means a “person that processes personal dta on behalf of the controller” (See, Colorado C.R.S. 6–1–1303 (19))

  • Determining whether a person is a controller or a processor with respect to specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed.” A person that is not limited in its processing to a controller’s instructions or fails to adhere to the instructions is a controller. A person that continues to adhere to the instructions is a processor.
  • If a processor begins, alone or jointly with others, to determine the purposes and means of the processing of personal data, its a controller with respect to that processing

(See, Colorado C.R.S. 6–1–1305 (7))

Third party means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or controller. (See, Colorado C.R.S. 6–1–1305 (26))

Practice Tips: EU v. Colorado

The CPA definition of controller and processors is identical to the traditional definitions under EU data protection law but their scope in application has yet to be interpreted by US courts and could potentially differ from the interpretations of the concepts in the EU. For more on what is a controller/processor under EU data protection law see here and here.

Practice Tip: “Person”

Colorado code Title 6, Article 1 (6–1–102) defines person to include an individual. “(6) “Person” means an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity.”

2. Exemptions

The CPA does not apply to certain persons, certain data and specific activities. However, even where an exclusion applies, certain limitations need be considered. In particular the data (i) shall not be processed for a purpose other than the purpose covered by an exclusion or as otherwise authorized by CPA; (ii) shall be processed solely to the extent it is necessary, reasonable, and proportionate to the specific purpose or purposes covered by the exclusion or as otherwise authorized by CPA. (See, Colorado C.R.S. 6–1–1304 (4).)

The controller bears the burden of proving the processing qualifies for an exemption and complies with the requirements. (See, Colorado C.R.S. 6–1–1304 (5).)

2. 1. Persons excluded from the scope of the CPA

  • FI exclusion: Financial institutions and their affiliates are exempted from compliance with CPA so long as they are subject to the Gramm-Leach-Bliley Act (GLBA.)(See, Colorado C.R.S. 6–1–1304 (2)(q)) Note that, in addition to excluding financial institutions, data regulated by GLBA is also excluded from the CPA (See, Colorado C.R.S. 6–1–1304 (2)(i))
  • Air carrier exclusion: Air carriers (as defined under 49U.S.C. SEC. 40101 et seq.) are excluded from the scope of CPA (See, Colorado (See, C.R.S. 6–1–1304 (2)(l))
  • National securities associations: National securities association registered pursuant the Federal Securities Exchange Act of 1934 (15 U.S.C. SEC. 78o-3) are excluded from the scope of CPA. (See, Colorado (C.R.S. 6–1–1304 (2)(m))
  • Public utilities and authorities: Customer data maintained by a public utility (as defined in Colorado C.R.S. 40–1–103 (1)(a)(I)) or an authority (as defined in Colorado C.R.S. 43–4–503 (1)) is excluded from the CPA provided that the data is processed only as authorized by state or federal laws. (See, Colorado (See, C.R.S. 6–1–1304 (2)(n))
  • Colorado institutions: Data maintained by a Colorado institution of higher education (as defined in Colorado C.R.S. 23–18–102 (10)), the state of Colorado, the judicial department of the state of Colorado or a county, or municipality provided that the data is processed only as authorized by state or federal laws is excluded from CPA. (See, Colorado (See, C.R.S. 6–1–1304 (2)(o))

2.2. Data excluded from the scope of the CPA

(a) Health information. The following health information is excluded from the scope of CPA:

  • Protected health information that is collected, stored, and processed by a governed entity or its business associates (See, Colorado C.R.S. 6–1–1304 (2)(a))
  • Patient records governed solely ‘for the purpose of access to medical records” by Part 8, Article 1 of Title 25 of the Colorado Revised Statutes (C.R.S. 25–1–801, C.R.S. 25–1–802, C.R.S. 25–1–803) (See, Colorado C.R.S. 6–1–1304 (2)(b))
  • Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. SEC. 290dd-2 See, Colorado C.R.S. 6–1–1304 (2)(c))
  • Identifiable private information, as defined in 45 CFR 46.102, for purposes of federal policy for the protection of human subjects pursuant to 45 CFR 46, identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 GOOD CLINICAL PRACTICE GUIDELINE issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human use or the protection of human subjects under 21 CFR 50 and 21 CFR 56; or personal data used or shared in research conducted in accordance with one or more of the categories mentioned in this paragraph See, Colorado C.R.S. 6–1–1304 (2)(d))
  • Information and documents created by a covered entity for purposes of complying with HIPPA and its implementing regulations See, Colorado C.R.S. 6–1–1304 (2)(e))
  • Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, esbalished pursuant to 42 U.S.C. SECS. 299b-21 to 299b-26 See, Colorado C.R.S. 6–1–1304 (2)(f))
  • Information maintained as described in the bullets above or de-identified (see next section) by (i) a covered entity or business associate, (ii) a health-care facility or health-care provider, or (iii) a program of qualified service organizations as defined in 42 CFR 2.11. (See, Colorado C.R.S. 6–1–1304 (2)(g)(II))
  • Personal data collected and maintained for the purpuses of Colorado Health Benefit Exchange (Colorado C.R.S. §§ 10–22–101–10–22–114)
  • Information used and disclosed in compliance with 45 CFR 164.512 is exempted from the CPA (See, C.R.S. 6–1–1304 (2)(p))

Practice Tip: Under the CPA “covered entity” and “business assoicate” have the meaning established in 45 CFR 160.103. (See, Colorado C.R.S. 6–1–1303 (8)&(3))

(b) De-identified data derived from healthcare data exemption:

The CPA Information that is de-identified in accordance with the requirements under 45 CFR 164 AND derived from healthcare related information subject to an exemption (See, Colorado C.R.S. 6–1–1304 (g)(I)&(II))

(Colorado C.R.S. 6–1–1304 (2)(g))

Practice tip: Colorado has adopted the Federal health data de-identification standard to exclude accross the board all personal data derived from healtchare data from the scope of CPA (in other words, CPA treats HIPAA de-identified data derived from healtchare data as if it where anonimous data). In addition, CPA relaxes certain rules with regards to the rights of access, correction, deletion and portability de-indentified data (as separatedly defined in CPA) and pseudonomous data (again, as defined in CPA.) See the section on data subject rights for a detail description of the relaxed rules.

In other words: Colorado exempts both (a) PHI that is subject to HIPAA and (b) data that is derived from PHI (or other types of health information specified in sections 1304(2)(a)-(f)) AND meets the HIPAA definition of deidentified. There is no limit of the scope of the exemption (i.e., the exemption applies regardless of the purposes for which the deidentified data is used) which is quite different from the approach CCPA/CPRA has taken in California.

(c) FICRA data: The CPA excludes from its scope any information regulated by the Fair Credit Reporting Act (15 U.S.C. SEC. 1681 et seq.) processed by (i) a consumer reporting agency (as defiend by 15U.S.C.SEC. 1681a (f)); (ii) a furnisher that provides information for use in consumer reports (as defined under 15 U.S.C.SEC. 1681s-2 and U.S.C. SEC. 1681a (d)) or (iii) a user of consumer reports (as defined under 15U.S.C.SEC. 1681b) involving the collection, maintenance, disclosure, sale, communication, or use of any personal dta bearing on a consumer’s credit worthiness, credit standing, credit. (See, Colorado C.R.S. 6–1–1304 (2)(i))

(d) GLBA data: Personal information collected, processed, sold or disclosed pursuant to Gramm-Leach-Bliley Act (GLBA) is exempted from the CPA. (See, Colorado C.R.S. 6–1–1304 (2)(j)(II)) Note that, in addition, financial institutions are exempted from CPA under a separate provision (See, Colorado C.R.S. 6–1–1304 (2)(q))

(e) Driver’s data: Personal data collected, processed, sold, or disclosed pursuant to the Federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. SEC. 2721 et seq.) is outside the scope of the CPA provided that it is regulated by that federal law (See, Colorado C.R.S. 6–1–1304 (2)(j)(III))

(f) Children data: Personal data regulated by the Children Online Privacy Protection Act (COPPA) is (15 U.S.C. SECS. 6501 to 6506) is exempted from the CPA. (See, Colorado C.R.S. 6–1–1304 (2)(j)(IV))

(g) Educational records: Personal data regulated by the Federal Family Educational Rights and Privcy Act of 1974 (FERPA) (20 U.S.C. SEC. 1232g et seq.) is exempted from the CPA. (See, Colorado C.R.S. 6–1–1304 (2)(j)(V))

(h) Employment records: Data maintained for employment record purposes is excluded from CPA. (See, Colorado (C.R.S. 6–1–1304 (2)(k))

2.3. Activities not restricted by CPRA:

The obligations imposed on controllers and processors under CPA do not:

  • Restrict their ability to (i) comply with federal, state, or local laws, rules or regulations; (ii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; (iii) cooperate with law enforcement agencies regarding conduct that the controller or processor reasonably and in good faith believe may violate federal, state, or local law; (iv) investigate, exercise, prepare for, or defend legal claims.
  • Restrict their ability to (i) conduct internal research to improve, repair, or develop products, services and technology; (ii) identify and repair technical errors that impair existing or intended functionality; (iii) perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller
  • Limit the ability to (i) provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract; (ii) protect the vital interest of the consumer or of another individual
  • Restrict the their ability to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
  • Limit their ability to process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing (i) is subject to suitable and specific measures to safeguard the rights of individuals, (ii) is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law OR assist another person with any of the aforementioned activities.
  • Apply (i) where compliance would violate and evidentiary privilege under Colorado law; (ii) to information made available by a third party that the controller has a reasonable basis to believe is protected speech, or (iii) to the processing of personal data by an individual in the course of purely personal or household activity.
  • Prevent a controller or processor from providing personal data to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication.

(See, Colorado C.R.S. 6–1–1304 (3))

3. Rights of consumers

Under CPA, consumers have the right to opt out of a controller’s processing of their personal data; access, correct, or delete the data; or obtain from a controller a portable copy of the data.

  • Method for submission of requests: The rights can be exercised by submitting a request using the methods specified by the controller’s privacy notice. The methods must take into account “the way in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request.” Controllers may not require consumers to create a new account in order to exercise their rights but may require consumers to use an existing account (See, Colorado C.R.S. 6–1–1306)
  • Time for submission: Consumer’s may submit requests at any time. (See, Colorado C.R.S. 6–1–1306)

NOTE:

Authenticate under CPA means “to use reasonable means to determine that a request […] is being made by or on behalf of the consumer who is entitled to exercise the rights.” (See, Colorado C.R.S. 6–1–1303(2).)

DE-IDENTIFICATION: CPA does NOT require controllers or processors to:

  • Re-identify de-identified data: Under CPA de-identify data means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, in the controller that possesses the data: (i) takes reasonable measures to ensure that the data cannot be associated with an individual; (ii) (b) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; (iii) contractually obligates any recipients of the information to comply with the requirements in this paragraph. (See, Colorado (See, C.R.S. 6–1–1307(1)(a) and 6–1–1303(11).)
  • Comply with access/correction/deletion/portability requests for de-identified data in certain circumstances: Controllers that receive an authenticated request to access, correct, delete, or provide personal data in a portable format need not comply if (i) the controller is not reasonably capable of associating the request to the personal data; (ii) it would be unreasonably burdesome for the controller to associate the data with the request; (iii) the controller does not use the data to recognize or respond to the data subject and does not associate the data with other data of that data subject; AND (iv) the controller does not sell the data or otherwise voluntarily disclose the data to third parties, except as otherwise authorized by the consumer (See, Colorado C.R.S. 6–1–1307(1)(b).)
  • Maintain the data in identifiable form or obtain data/technology that enables controller to associate data: The CPA does not require controllers to maintain the data in identifiable form or collect, obtain, retain, or access any data or technology that enables the controller to associate the data with the data subject. (See, Colorado C.R.S. 6–1–1307(1)(c).)

Controllers that use de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which de-identified data is subject and take appropriate steps to address breaches of such commitments. (See, Colorado C.R.S. 6–1–1307(2).)

PSEUDONOMOUS DATA: Under CPA pseoudonimos data is defined as “personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual. Access, correction, deletion and portability do not apply to pseudonomous data IF the controller can demonstrate that the information necessary to identify the data subject is kept separatedly and is subject to effective technical and organizational controls that prevent the controlling from accessing the information. (See, Colorado C.R.S. 6–1–1307(3).)

Practice tip: In addition to the more relaxed rules under CPA that apply to deindentified and pseudonomous data described above, CPA has addopted the Federal health data de-identification standard ( see 45 CFR 164) from the scope of applicability of the law (in other words, CPA treats HIPAA de-identified data derived from healtchare data as if it where anonimous data). (See the section on exemptions above.)

3.1. Right to opt-out

Consumers have the right to opt-out of the processing of personal data concerning the consumer for purposes of:

  • Targeted advertising: Targeted advertising under CPA means “displaying to a consumer advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affiliated websites, applications, or online services to predict consumer preferences or interest.” Targeted advertising does NOT include (i) advertising in response to the consumer’s request for information or feedback; (ii) advertisements based on activities within a controller’s own websites or online applications; and (iii) advertisements based on the context of a consumer’s current search query, visit to a website, or on-line application; or (iv) processing personal data solely for measuring or reporting advertising performance, reach, or frequency. (See, Colorado C.R.S. 6–1–1303(25).)
  • Sale of personal data: Sale under CPA means “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” (See, Colorado C.R.S. 6–1–1303 (23)(a).) However, the disclosure of personal data (i) to a processor that processes on behalf of the controller; or (ii) to a third party for the purpose of providing a product or service requested by the consumer are not deemed a sale under the CPA. In addition, it is not a sale under the CPR the disclosure or transfer (i) to an affiliate of the controller; or (ii) to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes “control” or all or part of the controller’s assets. (See, Colorado C.R.S. 6–1–1303 (23)(b).) Affiliate means a “legal entity that controls, is controlled by, or is under common control with another legal entity”. Control means (i) ownership of, control of, or power to vote twenty five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more persons; (ii) control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or (iii) the power to exercise, directly or indirecty, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulators, as that term is defined in 12 U.S.C. SEC. 5481 (24.) (See, Colorado C.R.S. 6–1–1303 (1).)
  • “Profiling” in furtherance of “decisions that produce legal or similar significant effects concerning the consumer”: Profiling under CPA means “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” (See, Colorado C.R.S. 6–1–1303(20).) Under CPA, a decision that produces “legal or similar significant effects” means a decision that “results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice employement opportunities, health-care services, or access to essential goods or services.” (See, Colorado C.R.S. 6–1–1303(10).)

(See, Colorado C.R.S. 6–1–1306(1)(a)(I))

Consumers may authorized third parties to exercise their rights to opt-out “including through a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. The controller shall comply if it is “able to authenticate, with commercial reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.” (See, Colorado C.R.S. 6–1–1306(1)(a)(II))

Controllers that engage in targeted advertising or sale data shall:

  • Notice: Shall provide “a clear and conspicuous method” to exercise the right to opt out both in their privacy notices and “in a clear and readily accessible location outside of the privacy notice.” (See, Colorado C.R.S. 6–1–1306(1)(a)(III))
  • Universal opt-out [until July 1, 2024]: May allow consumers to exercise their right to opt-out through “a user-selected universal opt-out mechanism” that meets the technical specifications established by the Colorado Attorney General. (See, Colorado C.R.S. 6–1–1306(1)(a)(IV)((A))
  • Universal opt-out [after July 1, 2024]: Shall allow consumers to exercise their right to opt-out through “a user-selected universal opt-out mechanism” that meets the technical specifications established by the Colorado Attorney General. (See, Colorado C.R.S. 6–1–1306(1)(a)(IV)((B))
  • Cookie banners: Controllers may enable the consumer to consent, “through a web page, application, or similar method”, to the processing of the consumer’s personal data for targeted advertising or sale, in which case the consent will take precedent over the choice reflected by the universal opt-out mechanism. In order to obtain consent the controller shall provide clear and conspicuous noticeinforming the consumer about (i) the choices available, (ii) describing the categories to be processed and the purposes for which they will be processed, and (iii) explaining how and where the consumer may withdraw consent. The consumer shall be revocable through the same mechanism “as easily as it is affirmatively provided.” (See, Colorado C.R.S. 6–1–1306(1)(a)(IV)((C))

“Consent” under CPA means “clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement”, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to processing. The following does NOT constitute consent:

  • Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • Hovering, muting, pausing, or closing a given piece of content, and
  • Agreement obtained through “dark paterns.”

(See, Colorado C.R.S. 6–1–1303(5))

A “dark pattern” under CPA means a “user interface designed or manipulated with the substantial effect or subverting or impairing user autonomy, decision-making, or choice.” (See, Colorado C.R.S. 6–1–1303(9))

3.2. Right of access

A consumer has the right to (i) confirm whether a controller is processing personal data concerning the consumer and (ii) access the consumer’s personal data. (See, Colorado C.R.S. 6–1–1306(1)(b))

3.3. Right to correction

A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. See, Colorado C.R.S. 6–1–1306(1)(c))

3.4. Right to deletion

A consumer has the right to delete personal data concerning the consumer. See, Colorado C.R.S. 6–1–1306(1)(c))

3.5. Right to data portability

When exercising the right to access

4. Obligations of controllers and processors

4.1. Obligations that apply only to controllers

(a) Responding to consumer requests.

Controllers are required to effectuate consumer’s rights.

  • Authentication: Controllers are not required to take action on requests if they are unable to authenticate them using “commercially reasonable efforts” in which case the controller may request additional information as reasonably necessary to authenticate.(See, Colorado C.R.S. 6–1–1306 (2)(d))
  • Timeframe for responding to requests: Controllers shall inform consumers of any actions taken on a request “without undue delay and, in any event, within forty-five daysafter receiving the request. The period can be extended by forty-five additional days where “reasonably necessary, taking into account the complexity and number of requests.” The controller shall inform consumers of the extension within the forty-five days from receipt of the appeal together with the reasons for the delay. (See, Colorado C.R.S. 6–1–1306 (3)(b))
  • Request denials: Controllers that deny requests shall inform consumers “without undue delay and, at the latest, within forty-five days after receipt of the request” of the reasons for not taking action and instructions for how to appeal the decision with the controller. (See, Colorado C.R.S. 6–1–1306 (2)(b))
  • Appeal to the controller: Controllers need to have in place an internal process that enables consumer’s to appeal a refusal to take action on a request within a reasonable time. The appeal process must be “conspicuously available” and “as easy to use” as the process for submitting requests. (See, Colorado C.R.S. 6–1–1306 (3)(a)) Controllers must respond to appeals within forty-five days providing “a written explanation in support of the response.” The period to respond may be extended by sixty additional days where “reasonably necessary” taking into account “the complexity and number of requests serving as the basis for the appeal.” (See, Colorado C.R.S. 6–1–1306 (3)(b))
  • Appeal to the Attorney General: Controllers shall inform consumers of the right to contact the AG if their appeal is denied. (See, Colorado C.R.S. 6–1–1306 (3)(c))
  • Charging for requests: Controller’s shall provide the information without charge except that, for a second or subsequent request within a twelve-month period the controller may charge an amount calculated as per the rules that apply to situations where a person has the right to inspect a public records under Colorado law as per Colorado C.R.S. 24–72–205. (See, Colorado C.R.S. 6–1–1306 (2)(c))

(b) Duty of transparency: Controllers shall provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes:

  • The categories of personal data collected or processed by the controller or a processor;
  • The purposes for which the personal data is processed;
  • How and where consumer’s may exercise rights (including contact information for the controller and the process to appeal denials.)
  • The categories of personal data that the controller shares with third parties (i.e. with organizations other than processors.)
  • The categories of third parties (if any) with whom the controller shares personal data.

(See, Colorado C.R.S. 6–1–1308 (1)(a))

If the controller sales/processes data for targeted advertising, the controller shall “clearly and conspicuously” disclose this fact and the process to opt-out. (See, Colorado C.R.S. 6–1–1308 (1)(b))

In addition, CPA contains prohibitions in regards to:

  • Requiring new accounts to exercise rights: Controllers shall not require consumers to create an account in order to exercise their rights;
  • Discrimination: Controllers shall not increase the cost of, or decrease the availability of, a product or service based only on the fact that a data subject exercised his/her rights if unrelated to the feasibility or value of the service. However, CPA cannot be interpreted to “require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.”

(See, Colorado C.R.S. 6–1–1308 (1)(c)&(d))

(b) Duty of purpose specification: Under the CPA a controller shall specify the express purposess for which personal data are collected and processed. (See, Colorado C.R.S. 6–1–1308 (2))

(c) Duty of data minimization: Under the CPA a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. (See, Colorado C.R.S. 6–1–1308 (3))

(e) Duty to avoid secondary use: Under the CPA a controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent. (See, Colorado C.R.S. 6–1–1308 (4))

(f) Duty to avoid unlawful discrimination: Under CPA a controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers. (See, Colorado C.R.S. 6–1–1308 (6))

(g) Duty regarding sensitive data: A controller shall not process the consumer’s personal sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian. (See, Colorado C.R.S. 6–1–1308 (7)) Under the CPA “sensitive data” means (i) personal data “revealing racial or ethnic origing, religious believes, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status”; (ii) genetic or biometric data that may be “processed for the purpose of uniquely identifying an individual,” OR (iii) personal data from a know child. (See, Colorado C.R.S. 6–1–1303 (24)) A child under CPA means an individual under 13 years of age. (See, Colorado C.R.S. 6–1–1303 (4))

(h) Obligation to conduct data protection assessments (DPA): The CPA requires controllers to conduct DPAs for each processing activity that “presents a heightened risk of harm to a consumer.” This only applies to activities related to data acquired on or after July 1, 2023.

The following processing is deemed to present a heightened risk of harm to consumers by the CPA:

  • Targeted advertising/profiling: Processing personal data for targeted advertising or profiling IF the profiling presents a “reasonably foreseeable risk of” (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial or physical injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; OR (iv) other substantial injury to consumers. Targeted advertising under CPA means “displaying to a consumer advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affiliated websites, applications, or online services to predict consumer preferences or interest.” Targeted advertising does NOT include (i) advertising in response to the consumer’s request for information or feedback; (ii) advertisements based on activities within a controller’s own websites or online applications; and (iii) advertisements based on the context of a consumer’s current search query, visit to a website, or on-line application; or (iv) processing personal data solely for measuring or reporting advertising performance, reach, or frequency. Profiling under CPA means “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” (See, Colorado C.R.S. 6–1–1303(20).) Under CPA, a decision that produces “legal or similar significant effects” means a decision that “results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice employement opportunities, health-care services, or access to essential goods or services.” (See, Colorado C.R.S. 6–1–1303(10)&(25).)
  • Processing sensitive data (see duty regarding sensitive personal data above for the CPA definition of sensitive personal data)

(See, Colorado C.R.S. 6–1–1309(1)&(2).)

DPA’s must identify an weight the direct and indirect benefits to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing as mitigated by the safeguards in place. They DPA shall factor into the assessment:

  • The use of de-identified data
  • The reasonable expectations of consumers
  • The context of the processing
  • The relationship between the controller and the data subject.

(See, Colorado C.R.S. 6–1–1309(3))

DPA’s must be made available to the Colorado Attorney General upon request but are otherwise confidential and exempt from public inspection and copying under the “Colorado Open Records Act” (Colorado C.R.S. C.R.S. 24–72–100.1 to 72.4-106.) The disclosure of a DPA to the Colorado Attorney General does not constitute a waiver of attorney client privilege or work-product. (See, Colorado C.R.S. 6–1–1309(4))

A single DPA may address a comparable set of processing operations that include similar activities. (See, Colorado C.R.S. 6–1–1309(5))

DPA’s under CPA only apply to processing activities created or generated after July 1st, 2023 and are not retroactive. (See, Colorado C.R.S. 6–1–1309(6))

4.2. Obligations that apply only to processors

Processors shall assist the controller in meeting its obligations and adhere to their instructions.

  • Assisting the controller: Taking into consideration “the nature of processing and the information available to the processor”, processors shall assist by (i) taking appropriate technical and organizational measures to enable the controller to respond to consumers request to exercise CPA rights; (ii) help controller meet its obligation to ensure the security of the processing and to notify of breaches as required; and (iii) provide enough information to the controller to conduct and document data protection assessments as required by CPA (however, the controller and processor “are only responsible for the measures allocated to them.” (See, Colorado C.R.S. 6–1–1305 (2))
  • Adhere to instructions: Notwithstanding the obligation to adhere to the controller’s instructions, processors shall (i) ensure each person processing personal data is subject to a duty of confidentiality with respect to the data; and (ii) engage subcontractors only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with CPA that requires the subcontractor to meet the same obligations that apply to the processor. (See, Colorado C.R.S. 6–1–1305 (3))

4.3. Obligations that apply only to both controllers and processors

Processors and controllers shall ensure security, enter into compliant contracts and

  • Security: Taking into account “the context of processing” controllers and processors shall “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” and establish “a clear allocation of responsibilities in between them to implement the measures.” (See, Colorado C.R.S. 6–1–1305 (4)) For controllers, the CPA specifically requires them to take reasonable measures to secure personal data during both storage and use from unauthorized acquisition and mandates that the data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. (See, “Duty of Care” Colorado C.R.S. 6–1–1308 (5))
  • Contracts: Processing by a processor shall be governed by a binding contract that sets out (i) the instructions that bound the processor, including a description of the nature and purpose of the processing; (ii) the type of personal data subject to the processing and the duration of the processing; (iii) the requirements for the processor to adhere to the instructions of the controller and for both to cooperate to ensure security of the processing. In addition, at the choice of the controller, the contract must state that the processor will delete or return the data at the end of the provision of the services unless retention is required by law. The contract shall require the processor to “make available to the controller the information necessary to demonstrate compliance” with CPA. Finally, the contract shall establish that the processor shall “allow for and contribute to, reasonable audits and inspectionsby the controller or the controller’s delegated auditor OR (if the controller consents) the processor shall “arrange for a qualified and independent auditor to conduct, at least annually and at the processors expense, an audit of the processor’s policies and technical and organizational measures” using “an appropriate and accepted control standard or framework and audit procedure for the audits as applicable” and provide the report to the controller upon request. (See, Colorado C.R.S. 6–1–1305 (5)) Contracts may not relieve controllers or processors from the liabilities imposed by their roles under CPA. (See, Colorado C.R.S. 6–1–1305 (6))

5. Enforcement and Liability

5.1. Enforcement

The Colorado Attorney General and district attorneys have exclusive authority to enforce the CPA. A violation of CPA is deemed a deceptive trade practice.

  • Right to cure [until January 1, 2025]: Prior to enforcement the Attorney General or district attorney must issue a notice of the violation to the controller if a cure is deemed possible. The controller has sixty days to fixed the violation before an action can be brought against it. The right to cure will no longer apply after January 1st, 2025.

(See, Colorado C.R.S. 6–1–1311)

The CPA does not provide for a private right of action. (See, Colorado C.R.S. 6–1–1310 (1) & 6–1–1311 (2))

5.2. Liability

When multiple controllers or processors are involved in a violation the liability shall be allocated among them according to “principles of comparative fault.” (See, Colorado C.R.S. 6–1–1310 (2))

  • Contracts may not relieve controllers or processors from the liabilities imposed by their roles under CPA. (See, Colorado C.R.S. 6–1–1305 (6))
  • Liability for acts of sub-processors (compliant contract): When personal data is disclosed under a contract that complies with CPA, the controller or processor disclosing the data is not liable for the violations of the recipient of the data if “at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation” (See, Colorado C.R.S. 6–1–1305 (8)(a))
  • Processor liability for acts of disclosing parties (compliant contract): If a compliant contract is in place, neither controllers nor processors that receive data from another controller or processor are liable for CPA violations by the disclosing party. (See, Colorado C.R.S. 6–1–1305 (8)(b))

6. Rulemaking

The attorney general may promulgate rules to administer the act and is required to adopt rules detailing technical specifications for a universal opt-out mechanism that controllers must use.

The rules on opt-out mechanisms must:

  • Not permit the manufacturer of a platform, browser, device, or any other product offering a universal opt-out mechanism to unfairly disadvantage another controller;
  • Require controllers to inform consumers about the opt-out choices available under Colorado C.R.S. 6–1–1316(1)(a)(I)
  • Not adopt a mechanism that is a default setting, but rather clearly represents the consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to Colorado C.R.S. 6–1–1316(1)(a)(I)(A) OR (B)
  • Adopt a mechanism that is consumer-friendly, clearly described, and easy to use by the average consumer
  • Adopt a mechanism that is as consistent as possible with any other mechanism required by law or regulation in the United States; and
  • Permit the controller to accurately authenticate the consumer as a resident of Colorado and determine that the mechanism represents a legitimate request to opt out of the processing for the purposes of targeted advertising or sale.

In addition, by January 1, 2025 rules regarding issuance of opinion letters and interpretative guidance may be adopted to become effective by July 1, 2025.

(Colorado C.R.S. 6–1–1313)

Resources

Colorado Privacy Act as enacted through SB21–190

Colorado
Privacy
Privacy Protection
Privacy By Design
Nonprofit

--

--

Golden Data Law
Golden Data

Written by Golden Data Law

391 Followers
Editor for

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams