Three’s Company: Colorado Becomes Third U.S. State to Enact Comprehensive Privacy Law

PDF

On July 8, 2021, Governor Jared Polis signed into law the Colorado Privacy Act (“ColoPA”). Colorado is now the third U.S. state to enact a comprehensive privacy law, following the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“VCDPA”). The new law will go into effect on July 1, 2023.

What is ColoPA?

Similar to the California and Virginia laws, ColoPA is a cross-industry privacy law that provides certain privacy rights to Colorado residents over their personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable individual. Publicly available or otherwise de-identified information, along with employment records, is not included within this definition.

ColoPA also utilizes a controller/processor distinction, similar to the EU’s General Data Protection Regulation (“GDPR”), and imposes specific duties on the controllers and processors of consumer personal data.

What Organizations are Covered by ColoPA?

ColoPA applies to legal entities that conduct business in Colorado or that produce commercial products or services intentionally targeted to Colorado residents and either:

• control or process personal data of more than 100,000 consumers per calendar year;

OR

• derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 consumers.

ColoPA does not define what it means to “conduct business” in Colorado. However, without further guidance from the Attorney General, it is likely that economic activity that triggers tax liability or personal jurisdiction in Colorado will also trigger applicability of ColoPA.

ColoPA contains both entity-level and data specific exemptions. For instance, some entities as a whole are exempt from ColoPA. This includes air carriers and national securities associations. ColoPA also exempts data that is subject to other state and federal laws and regulations, including the Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act (“HIPAA”), Fair Credit Reporting Act (“FCRA”), and the Children’s Online Privacy Protection Act (“COPPA”). Like the California and Virginia laws, however, these latter exemptions do not apply at the entity-level and instead only apply to data that is governed by and processed in accordance with such laws. Additionally, the definition of a “consumer” under ColoPA excludes individuals acting in a commercial or employment context.

What are the Duties of Controllers and Processors?

A “controller” is one that, alone or jointly with others, determines the purposes for and means of processing personal data.

The duties of controllers include:

1. Duty of transparency (requires controllers to provide consumers with a privacy notice containing certain information);
2. Duty of purpose specification (requires controllers to specify the express purpose for which data is collected and processed);
3. Duty of data minimization (requires that a controller’s collection of personal data be adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which data is processed);
4. Duty to avoid secondary use (prohibits controllers from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which data is processed unless consent is retained);
5. Duty of care (requires controllers to implement reasonable measures to secure personal data);
6. Duty to avoid unlawful discrimination (prohibits controllers from processing personal data in violation of state or federal laws that prohibit discrimination); and
7. Duties regarding obtaining opt-in consent for processing “sensitive data,” which is defined as (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.

A “processor” is one that collects, uses, sells, stores, discloses, analyzes, deletes, or modifies personal data on behalf of a controller. Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the statute.

Together, controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing and establish a clear allocation of the responsibilities between them to implement those measures.

What Rights Does ColoPA Provide to Consumers?

ColoPA provides Colorado consumers specific rights over the way their personal data is processed. The rights afforded to consumers include: (1) the right to opt out of certain processing of personal data; (2) the right to access personal data; (3) the right to correct inaccurate personal data; (4) the right to delete personal data; and (5) the right to data portability. Consumers can exercise these rights by submitting formal requests using the method(s) specified by the controller in their external privacy notice. Controllers will have 45 days to act on these requests.

Who has Rulemaking and Enforcement Authority?

The attorney general has the authority to promulgate rules for the purpose of carrying out ColoPA. The statute expressly provides that it does not create a private right of action. Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties set forth in C.R.S. § 6-1-112. Penalties can be up to $20,000 for each violation. Each consumer involved can constitute a separate violation with a maximum penalty of $500,000 for a related series of violations.

What Actions Should be Taken Now?

Although there is some overlap among ColoPA, CCPA, CPRA, VCDPA, and GDPR, companies subject to this new statute should carefully assess its applicability and its unique requirements in preparation for its enforcement. If you have any questions about how ColoPA will impact your organization or for assistance with any other privacy issues your business is facing, contact:

Starr Turner Drum or Lauren Morina

This Client Alert is for information purposes only and should not be construed as legal advice. The information in this Client Alert is not intended to create and does not create an attorney-client relationship.

VIEW AS PDF.