The Colorado Privacy Act Is Here
What does it mean for you?
As Colorado joins the growing list of states with data privacy legislation, your business may be subject to a variety of new obligations under the Colorado Privacy Act (CPA), which took effect on July 1 of 2023. In a press release, the Colorado attorney general issued a public statement indicating that enforcement actions, including significant fines, are forthcoming:
“And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
Fines for each individual violation are $20,000; compounded across many affected consumers, these fines can quickly reach the maximum penalty of $500,000.
State legislation, global context
At a global level, data privacy has become an increasingly critical issue over the past several years. The landmark General Data Protection Regulation (GDPR), implemented by the European Union in 2018, led the way for global reform in data privacy legislation. Following the EU’s lead, many nations have proposed or passed their own regulations to solidify consumer privacy protections.
In the United States, no overarching federal law exists to protect the privacy of general consumer data, but legislation at a state level has been gaining momentum. In 2018, California passed the California Consumer Privacy Act (CCPA), a comprehensive state-level privacy law that established an expansive set of consumer rights never before seen in the United States. Since its implementation in 2020, alleged violations of the CCPA have led to lawsuits against companies such as Amazon, Meta, TikTok, and Walgreens.
After the passing of the CCPA, Colorado, Connecticut, Utah, and Virginia were the first states to enact their own comprehensive consumer privacy laws. In 2022, over 60 privacy bills were considered across 29 states, including in five states that had never previously considered such legislation. The year 2023 saw the passing of consumer privacy laws in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas, bringing the total number of states with such legislation to 12, with no sign of slowing down.
This momentum is a clear indication that voters — and consumers — are increasingly focused on how the privacy of their data is being protected. Research from the International Association of Privacy Professionals (IAPP) shows that nearly 70% of consumers are concerned about their online privacy and have even decided to not purchase a product due to their concerns about a company’s data privacy practices. Establishing robust data privacy practices helps you develop a more compliant posture and retains the hard-earned trust of your customers.
Applicability of the CPA
In general terms, the CPA applies to “data controllers” that determine the purposes for and means of processing personal data. Specifically, the CPA applies to data controllers that meet the following requirements:
- Conduct business in Colorado, or produce or deliver commercial products or services intentionally targeted to residents of Colorado, and
- Process personal data of at least 100,000 consumers during a calendar year, or 25,000 consumers if the controller derives revenue from the sale of personal data.
The CPA creates carveouts for certain types of data that are already governed by federal legislation. For example, data already governed by the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), as well as a wide variety of healthcare data are all outside the purview of the CPA.
The applicability of the CPA is complex; refer to Section 6–1–1304 of the CPA itself if you’re unsure whether it applies to your business.
User consent capabilities
The CPA establishes new requirements for companies to obtain meaningful, informed consent from Colorado residents before collecting and using their personal data. Obtaining this consent is a primary focus of Colorado’s new legislation, and the specific language of the law requires changes in many companies’ data collection practices. There are several ways in which common practices fail to align with these new requirements.
Purpose use limitations
Many companies use vague, blanket permissions rather than the specific notifications required to explain precise data use purposes. Data is highly valuable, and many companies collect a wide variety of consumer data without an explicit purpose. However, the CPA requires that companies clearly specify the explicit purpose for which personal data is collected and restrict their data collection to data that is “adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” Under the CPA, companies are required to notify consumers in advance about the purpose for personal data collection.
Affirmative consent
It is common to rely on implicit or passive consent from consumers to collect and process their data. For example, reliance on default settings, the continued use of a service, pre-checked boxes, or the closing of a consent flow are common approaches to obtaining consent that do not meet the CPA’s requirements. The CPA requires positive action on the part of the user to demonstrate consent, such as actively checking a box or signing a document.
Opt-out settings
User flows for opting out of personal data collection are often difficult for consumers to find, rather than provided in the clear and conspicuous manner required by the CPA. Burying opt-out settings within dense privacy policies or account dashboards fails to meet the CPA’s requirements for simple and straightforward opt-out flows. Companies must honor consumer requests to opt out of the processing of their personal data for targeted advertising, the sale of personal data, or the processing of personal data for profiling purposes within 15 days of receiving the request.
Plainly put, many companies don’t have compliant consumer consent flows or purpose use limitations required by the CPA. Assessing your current state, mapping how user data flows through your systems, and building a centralized data privacy function are all important steps toward establishing data governance practices that enable data privacy maturity and compliance.
Processing of individual rights requests
Colorado residents have several protections and rights under the CPA, including the right to access, delete, and correct their personal data, and the right to data portability, meaning that consumers’ data is stored in a format that makes it compatible for transfer to other platforms.
Colorado residents are allowed to make requests of your company to provide all personal data you have about them. Under the CPA, companies are required to respond in full within 45 days of receiving the request. For many companies, responding to such requests is highly manual, time-consuming, and technically difficult. These technical challenges can lead to errors in the fulfillment of requests from consumers and open up companies to litigation and fines.
In order to meet the requirements of the CPA, your company’s data governance must be capable of locating all relevant data about a consumer quickly, wherever it may be hosted across your servers. Converting legacy data systems, adopting new privacy solution technologies, and developing training and awareness programs are key steps toward implementing a robust and efficient process for quickly responding to such data requests, freeing you to focus on delivering your core business.
Don’t just react — take action
As one of the latest states to enact a comprehensive data privacy law, Colorado — through the CPA — brings significant new compliance obligations for companies doing business in the state. The Colorado attorney general has signaled the commitment to holding businesses accountable to these new standards through strong enforcement mechanisms.
Meeting these obligations requires that companies take a proactive stance and make investments in their privacy infrastructure. From reevaluating consent flows to adopting new privacy-enhancing technologies, the investments needed to achieve CPA compliance should serve as a catalyst for designing privacy into the fabric of your business. In the long run, these investments will return higher levels of consumer trust and reduced risk exposure.
The CPA is yet another signal that the data privacy landscape is evolving rapidly, and this rate of change requires a proactive stance to achieve and maintain compliance. Don’t wait for an audit or privacy incident before you take action.
Slalom is a next-generation professional services company creating value at the intersection of business, technology, and humanity. Learn more and reach out today.
