Colorado Introduces New State Privacy Law
17 June 2021
Technology & eCommerce Regulation in the Spotlight
The Colorado legislature unanimously passed a new and comprehensive privacy act – the Colorado Privacy Act (“Act“), making Colorado the third US state – after California and Virginia – to enact a broad consumer data privacy law.
The Act seeks to give Colorado residents (“consumers“) more control over their personal data, including by providing them with similar data privacy rights to those provided under the California Consumer Privacy Act (“CCPA”), Virginia’s Consumer Data Protection Act (“VCDPA”) and to some extent the European General Data Protection Regulation (“GDPR”).
As it stands, the Act would only apply to entities that conduct business in Colorado or produce commercial products or services that are intentionally targeted to Colorado residents if one of the following applies to such entities:
- During a calendar year, the entity controls or process personal data of at least 100,000 consumers; or
- The entity controls or process personal data of at least 25,000 consumers and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Under the Act, consumer is defined narrowly to include Colorado residents acting only in their individual or household context. This means that, similarly to the VCDPA (as we recently updated), data gathered about employees, job applications and business contacts is out of scope.
Personal data is defined under the Act as information that is linked, or reasonably linkable, to an identified or identifiable individual, yet – unlike other recent consumer privacy laws from recent years – it does not include de-identified data or publicly available information, including data that was made publicly available by the consumer itself.
Similarly to the CCPA, the Act exempts several types of personal information the processing of which is already governed under federal laws (e.g. HIPAA, GLBA, etc.). The Act also affords extra protections for the processing of sensitive data – which has a similar definition to “special categories of data” under the GDPR – requiring controllers to receive consumers’ freely given, clear, specific and unambiguous consent before processing.
Like the GDPR and the VCDPA, the Act distinguishes between controllers and processors. A “controller” alone or jointly with others determines the purposes for and means of processing personal data, and bears most responsibilities under the Act. “Processors” process personal data on behalf of a controller, yet are directly obligated under the Act to assist controllers with their compliance efforts. According to the Act, determining whether an entity is acting as a controller or processor is fact based. Accordingly, an entity that is not limited in its processing to the controller’s instructions, or that fails to adhere to these instructions, will be deemed a controller. The Act requires controllers and processors to enter into a written contract.
Under the Act, controllers are required to comply with certain principles when processing personal data, including avoiding processing for secondary purposes that are not compatible with the specified permitted purpose, using reasonable measures to secure personal data, and avoiding unlawful discrimination. In this context, the Act provides that data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
In addition to the above-mentioned provisions, controllers are required to conduct and document a data protection impact assessment (“DPIA”) when conducting processing that presents a heightened risk of harm to a consumer. Examples of processing that presents a heightened risk include processing of personal data for targeted advertising, sale and processing of sensitive data. The DPIA must be made available to the Colorado Attorney General upon request.
Controllers are required provide a privacy notice to consumers, including details regarding (1) the categories of personal data collected, processed, and shared; (2) the purposes for processing; (3) the categories of third parties with whom the personal data is shared; (4) the way consumers may exercise their rights; and (5) whether the controller sells personal data or processes personal data for targeted advertising.
As mentioned, the Act grants consumers with data privacy rights similar to those provided under the CCPA and the VCDPA, including the rights to access, obtain a copy of, correct, and delete their personal data. Additionally, it also provides consumers the right to opt out of the sale, targeted advertising and profiling producing legal or similarly significant effects over the Consumer. Under the Act, controllers are required to establish an internal process whereby Consumer may appeal to the Controller’s refusal to exercise any of the rights under the Act. Notably, consumers rights do not apply to pseudonymized data if the controller can demonstrate that the information required to identify the consumers is kept separately and is subject to effective measures that prevent the controller to access the information.
Individuals are not granted a private right to action in case of a violation. The Colorado attorney general and the district attorneys have an exclusive authority to enforce the Act by imposing penalties of up to $20,000 per violation, with a cap of $500,000 to any related series of violations. However, up until 1 January 2025, any enforcement action will be subject to a prior 60 days’ notice, allowing the controllers to cure the violation. Unlike the CCPA, the CPA does not create a private right of action allowing individual consumers to sue for violations. Instead, Colorado’s attorney general and district attorneys have exclusive enforcement powers,
The Act is still subject to Colorado’s’ Governor’s signature, however approval without any changes is expected as a consolidated version of the law was approved by the state’s both House of Representatives and the Senate. The law is expected to enter into force on 1 July 2023.
The Act presents an important regulatory development for entities that conduct business in connection with personal data of Colorado residents – companies should assess the Act’s applicability over them and examine if their practices are compliant with the Act. Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation