Colorado’s new comprehensive privacy law (CPA)

A look at the requirements of the Colorado Privacy Act (CPA).

The US data privacy legislative landscape is becoming increasingly fragmented, and organizations that operate in or do business with the USA need to keep track of the new legislation that is being planned. Businesses also need to make sure that they understand and comply with the new laws when they go live. Following in California and Virginia’s footsteps, Colorado has passed a new comprehensive privacy law, the Colorado Privacy Act (CPA).  

In this article, we will look at who should comply with the CPA, and outline the main requirements. 

Applicability

The CPA applies to “controllers.” Your business is a “controller” if it conducts business in Colorado or target consumers in Colorado, and either:

1. Controls or processes the personal data of more than 100,000 consumers per calendar year, or
2. Derives revenue from the sale of personal data, and processes or controls the personal data of 25,000 or more consumers.

Confused about whether this applies to you? That brings us on to the law’s definitions.

Definitions

What’s “personal data”?

The CPA defines “personal data” as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition excludes publicly available and de-identified personal data.

What’s “sensitive data”?

As we’ll see below, the CPA contains certain special rules in relation to “sensitive personal data,” which includes information about a person’s:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health
• Sex life or sexual orientation
• Citizenship or citizenship status

Sensitive data also includes genetic or biometric information and information about children.

What’s a “consumer”?

The CPA defines a “consumer” as a Colorado resident “acting only in an individual or household context,” and doesn’t include employees or job applicants.

What does “selling” personal data mean?

The “sale” of personal data means “the exchange of personal data for monetary or other valuable consideration to a third party.”

“Valuable consideration” can include any benefit you derive from disclosing or transferring personal data. As such, this is a broad definition of “sale”—similar to that of the California Consumer Privacy Act (CCPA).

But there are exceptions. The “sale” threshold is not met if you’re disclosing personal data:

• To a processor
• To a third party in order to provide products or services requested by the consumer
• To an affiliate
• As part of a merger, acquisition, or bankruptcy
• At the consumer’s request
• That has been made public via “mass media”

Consumer Rights

The CPA provides consumers with five rights over their personal data. Broadly speaking, the CPA’s consumer rights are:

• The right to opt out: Consumers may opt out of targeted advertising, the sale of their personal data, and profiling in respect of decisions with “legal or similarly significant effects.”
• The right of access: Consumers have the right to access a copy of the personal data a controller holds about them.
• The right to correction: Consumers have the right to correct any inaccurate personal data a controller holds about them.
• The right to deletion: Consumers have the right to delete personal data a controller holds about them.
• The right to data portability: Consumers may receive a copy of their personal data in a portable and readily usable format.

You must respond to a consumer request within 45 days. A possible 45-day extension is available if “reasonably necessary.”

Duties of Controllers

The CPA imposes seven “duties” on controllers. Broadly speaking, the CPA’s duties are:

• Duty of transparency: Controllers must provide consumers with a privacy notice detailing the controller’s processing activities.
• Duty of purpose specification: Controllers must specify the purposes for which they are collecting and processing personal data.
• Duty of data minimisation: Controllers must only collect personal information that is adequate, relevant, and limited to what is necessary in relation to a specified purpose.
• Duty to avoid secondary use: Unless reasonably necessary, controllers must not process personal data for further purposes that are incompatible with the specified original purpose for which it was collected.
• Duty of care: Controllers must take reasonable security measures to protect personal data.
• Duty to avoid unlawful discrimination: Controllers must not process personal data in violation of anti-discrimination law.
• Duty regarding sensitive data: Controllers must not process sensitive data about a consumer without the consumer’s consent.

Data Protection Assessments

Controllers must undertake a “data protection assessment” if they’re planning to carry out certain data processing activity, including:

• Targeted advertising where there are reasonably foreseeable risks to the consumer
• Selling personal data
• Processing sensitive data

A data protection assessment involves weighing the risks and benefits of the processing operation and identifying reasonably foreseeable risks.

Enforcement

Violations of the CPA are punishable by a civil penalty of up to $2,000 per violation. The law does not contain a private right of action, meaning that consumers cannot take controllers to court for infringing their rights under the CPA.