On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.
Applicability and Exemptions
Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:
- The organization processes data on 100,000 or more Colorado consumers annually.
- The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.
This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.
There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.
Substantive Rights Largely Mirror Other State Privacy Laws
The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:
- Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
- Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
- Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
- Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, health conditions, genetic or biometric information, sex life or sexual orientation and citizenship status. Notably, geolocation information is not “sensitive” for these purposes, unlike the CDPA.
In addition, for any of the activities that give rise to opt-out or opt-in rights, companies will be required to conduct and document “data protection assessments.” These assessments align with a similar requirement under the CDPA, and they must be made available to the Colorado Attorney General upon request.
“Secondary Uses” Restricted
One area where the CPA goes beyond the CCPA/CPRA and the CDPA is with the introduction of a new “duty to avoid secondary use.” This duty prohibits covered organizations from using data for purposes that “are not reasonably necessary or compatible with the specified purposes for which the personal data are processed.” Businesses can override this prohibition by obtaining the consumer’s consent for new processing activities.
Colorado’s prohibition on secondary uses—in conjunction with its requirements that businesses expressly identify the purpose of data collection—reflects a longstanding Federal Trade Commission (FTC) position that post-collection data practices must be consistent with pre-collection disclosures. However, due to the emphasis on “specified purposes” and the express “consent” requirement for new uses, the CPA arguably goes beyond FTC guidance by imposing a more explicit prohibition on such uses. Companies will need to scrutinize their privacy notices to ensure that any purposes are adequately specified to avoid running afoul of this new statutory requirement under the CPA.
Like other states and the European Union’s General Data Protection Regulation (GDPR), the CPA distinguishes between data “controllers” and “processors,” requiring mandatory contract terms between these entities. However, the new CPA adds some requirements not otherwise contained in existing US law or the GDPR. In particular, controllers and processors are expressly prohibited from introducing contract terms that “relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship.” This language could potentially undermine any indemnification terms the parties may have negotiated in their existing agreements. Covered organizations should examine their current vendor and customer contract templates to re-evaluate their exposure and to ensure that the contract complies with the CPA’s contracting requirements.
Next Steps for Business
With the array of new privacy laws set to take effect in 2023, in-house counsel and privacy professionals have their work cut out for them in aligning their businesses with the expanding patchwork of state laws. As an initial step, organizations should evaluate whether they meet the applicability requirements for the CPA. As mentioned, many businesses will not trigger the high bar for applicability of these laws. If the CPA is applicable, an important second step will be evaluating exposure to the new “sensitive data” requirements by updating or creating data maps that include the sensitive data categories.
Finally, companies should be careful not to lose sight of the bigger picture. While state legislative momentum may be slowing for the remainder of 2021, activity is expected to pick back up when many state legislatures reconvene in the beginning of 2022. As businesses take steps to understand and comply with the CPA and other laws, they should do so with future developments in mind, focusing on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.