On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.
Applicability and Exemptions
Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:
- The organization processes data on 100,000 or more Colorado consumers annually.
- The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.
This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.
There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.
Substantive Rights Largely Mirror Other State Privacy Laws
The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:
- Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
- Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
- Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
- Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]