Will Colorado’s New Data Privacy Law Affect Your Business?

As federal lawmakers struggle to pass a nationwide data privacy law, states are beginning to enact their own legislation. Colorado recently passed a state privacy law that is scheduled to go into effect July 1, 2023. Anyone living in Colorado, conducting business with Colorado residents, or operating a business in Colorado, should have the Colorado Privacy Act (CPA) at the top of mind.

In addition to giving consumers rights and protections over their data, the regulation requires companies to be accountable to their consumers and implement protections over consumer data. The CPA is a comprehensive data privacy law akin to the California Consumer Privacy Act (CCPA) and the Consumer Data Protection Act (CDPA) recently passed in Virginia. The CPA applies to organizations handling the data of 100,000 or more consumers annually or if revenue is derived from the sale or processing of data from 25,000 or more consumers annually.

For organizations, the first step in complying with the new regulation is to designate a new or existing employee as the company’s Data Controller to be responsible for ensuring the safety of collected consumer data and handling data requests from consumers.

Definitions of Key Terms

Some keywords could have a material impact on the interpretation of certain areas of the regulation. These keywords and their definitions, summarized from the CPA, are:

• Consent: A clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement which is written, electronic, or another clear, affirmative action by which the consumer signifies agreement to the processing of personal data.
• Consumer: An individual who is a Colorado resident acting only in an individual or household context.
• Personal Data: Information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
• Controller: A person that, along or jointly with others, determines the purposes for a means of processing personal data. These individuals must be able to respond to, and authenticate, consumer requests for free of charge, secure personal data, notify affected individuals of data breaches, and document the results of the data protection assessment.
• Processor: A person who processes personal data on behalf of a controller. These individuals must ensure the confidentiality of the data and are bound by a contract with the controller that includes the instructions of data processing, the types of data to be processed, and the requirement to comply with regulative authority during audits and investigations.
• De-Identified: Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to an individual.
• Sale: The exchange of personal data for monetary or other valuable consideration by a controller to a third party.
• Sensitive Data: Personal data revealing ethnic background, racial origin, religious beliefs, mental health, physical health, sexual orientation, or citizenship status.

Does the CPA Apply to Your Organization?

In order for the CPA to apply to the organization, certain requirement thresholds must be met. These requirements specify that:

• All company privacy notices must include the categories of data being processed, the purpose for the collection and processing of data, how consumer rights may be executed, and what data is shared with third parties.
• A Data Protection Assessment (DPA), completed by the controller or another independent third party, is required for each of the processing activities annually. The DPA must check those activities against potential risks to the rights of consumers and safety of their data. The DPA should assess the data safeguards implemented while considering the use of de-identified data, reasonable consumer expectations, the context of the processing, and the relationship of the controller with the consumer based on the consumer’s consent.
• If a notice of a violation of the regulation is provided to the company by the District Attorney or Attorney General, the company has 60 days to cure the violation. Non-compliance can result in fines of up to $20,000.
• If a request for data is submitted, but the controller can prove that the company cannot identify a consumer with the data it has, the company does not need to fulfill the request.
• An appeals process is available to all consumers and includes a 45-day requirement for controllers to respond to requests and to inform the consumer to contact the Attorney General or District Attorney, if necessary. The controller must also provide contact information of the Attorney General or District Attorney to the consumer.

In two of its most important provisions, the CPA 1) gives consumers the right to have their data deleted or erased from company records entirely and receive proof of the deletion and 2) requires that inaccuracies of consumer data be corrected and that the consumer receives proof of the correction.

Colorado consumers also have the right to:

• Complete access to any of their personal data stored by an organization and its processing purpose.
• Opt out of any collection or processing campaigns by a company, which also includes opting out of targeted advertising, sales of data, and consumer profiling for decisions involving legal matters. This mechanism must be obvious and clearly presented to consumers so they may affirm their decision.
• Take their data from one company to another without obstruction, or data portability. This specific right can only be executed twice per calendar year.
• Restrictions regarding how the consumer data can be processed.
• Protection from organizations using consumer data for automated decision making.

While the provisions and requirements are similar to those in the CCPA and CDPA, these regulations apply specifically to Colorado residents. The CPA doesn’t cover certain categories of data that are already regulated by other laws. Additionally, the CPA also doesn’t allow for any private right of action.

The regulations will go into effect on July 1, 2023.  Organizations doing business with and/or maintaining data of Colorado residents should be taking steps now to update their privacy policies and procedures to include the requirements outlined in the CPA.

How Will the New Law Affect Your Company?

Just like GDPR, CCPA, and CDPA, implementing compliance activities for a new regulation can sometimes be a headache. As you consider your organization’s options for CPA compliance, here are some questions to consider:

• What kind of data does our organization need to be successful? How does the organization use it?
• Would any of the data we collect be considered personally identifiable information (PII)?
• In what capacity does our organization conduct business with Colorado residents?
• Where do we store consumer data if we collect it? Is it secured appropriately?
• If we don’t have a Data Privacy Officer or Controller, do we have someone we can designate as the Data Controller?
• Does our organization currently perform any type of data protection activities? If so, how are those being leveraged to protect consumer data?
• Of the data we collect, which is already regulated by active federal laws like HIPAA or the Children’s Online Privacy Protection Act (COPPA)?
• If our organization is a non-profit, does the CPA apply to us?

Organizations that are proactive in their approach to privacy should find that their resources and business procedures won’t be hindered when consumer requests begin coming in.

For more information about the CPA and how it may apply to your business, contact us. We are here to help.

Authored by Hunter Sundbeck, CDPSE.

© 2021