Understanding the Colorado Privacy Act(CPA) and Its Implications for Data Privacy

Governor Jared Polis signed the Colorado Privacy Act in 2021, but most of the provisions became enforceable in July 2023.

Colorado was the third state to enact a comprehensive privacy law protecting consumer personal information. It followed the California Consumer Privacy Act (CCPA, amended by the California Privacy Rights Act) and Virginia's Consumer Data Protection Act. It follows the concepts set out in these two laws, which at the same time make it different from the EU's General Data Protection Regulation.

Does the Colorado Privacy Act apply to my business?

The Colorado Privacy Act applies to your business if you do business in Colorado and either:

1. Control the processing of personal data for 100,000 Colorado consumers or more.
2. Control the processing of personal data by 25,000 Colorado residents or more and derive revenue from the sale of personal data.

There are no revenue thresholds like in Virginia and California. The Colorado data privacy law applies to all businesses of all sizes as long as they meet the processing thresholds set out in the law.

In addition, the Colorado Consumer Protection Act does not apply to the personal information covered by:

• Children's Online Privacy Protection Act of 1998;
• Family Educational Rights and Privacy Act of 1974;
• Gramm-Leach-Bliley Act (GLBA);
• Health Insurance Portability and Accountability Act (HIPAA); and
• Fair Credit Reporting Act (FCRA).

What is personal information under the CPA?

The data protection law in Colorado defines any type of information that could identify an individual as personal information.

Therefore, personal information can be anything from SSN and personal name to IP address, browsing behavior, and device fingerprints. Anything can be personal information.

How to comply with the Colorado Privacy Act (CPA) in 2024

The Colorado Privacy Act requires businesses to meet several standards to achieve consumer data privacy compliance and avoid troubles with the Colorado Attorney General's Office.

The most important ones include:

Data Minimization

Under the Colorado Privacy Act (CPA), the data minimization principle has two key aspects:

1. Limiting collection, meaning that controllers can only collect personal data that is adequate, relevant, and limited to what is reasonably necessary for the stated purposes of processing. They can't just collect everything they might find useful later; it must be directly tied to a specific reason for using it.

For example, a store collecting your name and address for delivery is fine, but collecting your browsing history might not be if it's not used for personalization directly related to your purchase.

2. Regular review and deletion, meaning that controllers must review whether the collected data is still necessary, adequate, or relevant for the stated purposes at least once a year. This applies particularly to sensitive data like biometrics, photos, or audio recordings.

Purpose Limitation

The purpose limitation principle under the Colorado Privacy Act (CPA) goes hand-in-hand with the data minimization principle and complements it by focusing on how the collected data can be used. Here's what it means:

1. Transparency about data purposes. Controllers must be transparent about the specific purposes for which they collect and process personal data. They must state them in the privacy notice served to consumers. They need to inform consumers explicitly about how their information will be used before collecting it.

2. Processing within specified purposes, requiring controllers to only process personal data for the purposes originally disclosed to consumers and for which their consent was obtained (if required). This means they cannot use the data for other purposes without first obtaining new consent from the consumer. This means they cannot repurpose the data for something entirely different from what they initially stated.

However, the CPA allows for some exceptions, such as processing for legal compliance, fraud prevention, or internal research purposes, under certain conditions.

Privacy Notice (Colorado CPA Privacy Policy)

Businesses targeting residents of Colorado must serve consumers with a meaningful privacy notice. In practice, that's your privacy policy. The Colorado privacy policy aims to inform consumers about your processing activities. It needs, at a minimum, to contain the following:

• Identity and contact information. Make it clear that you are the "controller" (business collecting data) and provide contact details for questions about your privacy practices.
• Categories of personal data collected. List the types of personal data you collect from Colorado residents, such as name, address, geolocation, browsing history, etc.
• Purposes of data collection and processing. Explain the reasons for collecting each category of data and its usage. Be specific and transparent.
• Retention period. Describe the duration for which you store each category of data and the criteria for its deletion.
• Sharing with third parties. Reveal if you share personal data with third parties (like service providers), identifying them and the purposes for which the data is shared.
• Consumer rights. Detail the five rights granted to Colorado residents under the CPA (access, correction, deletion, portability, opt-out of "sale" or processing for targeted advertising) and provide clear instructions on how to exercise these rights.
• Effective date. Indicate the date when your privacy notice was last updated.

Consent for Processing Sensitive Personal Information

The Colorado comprehensive data privacy law uses an opt-out approach for most data processing, meaning you can collect and process data without consent as long as you provide a way for consumers to opt-out. 

In some cases, you need opt-in consent, meaning you require a positive affirmation from the consumer before proceeding with the processing.

The Colorado Privacy Act (CPA) has specific requirements for when and how consent is needed for processing personal data. It is needed in three cases:

• Processing sensitive data. You must obtain opt-in consent before processing sensitive data, which includes things like:
• 1. Racial or ethnic origin
• 2. Religious beliefs
• 3. Mental or physical health conditions
• 4. Social security number
• 5. Sexual orientation or gender identity
• 6. Biometric data (e.g., fingerprints, facial recognition)
• 7. Data concerning children
• Processing for secondary purposes. If you want to use data for a purpose different from what you originally disclosed when collecting it, you need to obtain opt-in consent unless it falls under specific exceptions like legal compliance or fraud prevention.
• Selling or processing data for targeted advertising after opt-out. If a consumer has already opted out of the sale or processing of their data for targeted advertising, you need their opt-in consent to resume these activities.

To be valid, consent must meet specific criteria:

• Clear and affirmative, meaning that it should be clear what the consumer is consenting to and must be a conscious, positive action (not silence, pre-checked boxes, or inactivity). Only an affirmative act signifying a consumer's freely given consent is a valid way of obtaining it.
• Freely given: There should be no pressure or coercion to consent.
• Specific: The consent should be specific to the particular data use and purpose.
• Informed: The consumer should be provided with clear and understandable information about how their data will be used and their rights under the CPA.
• Unambiguous: The consent should be clear and leave no room for misinterpretation.

Read more about Colorado cookie consent here.

Opt-Out

Under the CPA, businesses (controllers) must offer consumers the choice to opt out of specific data processing activities, which include:

• Targeted advertising. Consumers can opt out of their personal data being used for targeted advertising. This means refraining from using social media cookies and pixels to track their online activities.
• Sales of personal data. If you sell personal information, consumers have the right to opt out. This involves transferring personal data to third parties in exchange for money or other valuable considerations.
• Profiling. Profiling encompasses any automated processing of personal data to assess, analyze, or predict various aspects of an individual's life, such as work performance, financial status, health, preferences, interests, behavior, location, or movements. Consumers can opt out of profiling that could have legal or significant impacts on them. This commonly includes opting out of automated profiling on platforms like social media, insurance software, or HR systems.

To comply with the CPA opt-out requirements, businesses subject to the Colorado state privacy legislation should:

• Clearly and prominently notify consumers about their ability to opt out of targeted advertising and the sale of their personal data.
• Ensure the opt-out process is user-friendly and accessible. Controllers must establish the technical specifications of a universal opt-out mechanism selected by the user by July 1, 2024. It's advisable to include a link to the opt-out mechanism in the website footer.
• Respond to consumer opt-out requests within 45 days. If necessary, this timeframe can be extended by another 45 days, provided consumers are informed of the extension within the initial 45-day period.
• Update their privacy policy to detail how consumers can exercise their opt-out rights and appeal any adverse decisions made by controllers. The privacy policy should also outline the procedures for submitting opt-out requests.

Consumer rights and requests

The Consumer Protection Act (CPA) provides individuals, or the parents or guardians of children under 13, with these rights:

• Opt-out of personal data processing, or designate someone else to opt-out on their behalf, for (1) Targeted advertising, (2) Personal data sales and (3) Profiling that has legal or significant effects on the individual, as defined by the CPA.
• Know if a controller processes their personal data.
• Access, rectify, and erase their personal data.
• Receive a copy of their personal data in a commonly used and machine-readable format, akin to the right to data portability in other jurisdictions, twice a year.

Consumers can exercise their rights by submitting consumer requests. You are obliged to list the methods for submitting the requests in your privacy policy. In the event that a consumer submits it in another way, you shall treat it as if it had been submitted properly or guide the consumer on how to do that.

Privacy Impact Assessments under the Colorado Privacy Act

The Colorado Privacy Act (CPA) may not explicitly require data protection impact assessments (DPIAs), but it does strongly suggest businesses carry them out for activities that present a "heightened risk" to consumer privacy.

The CPA outlines specific activities that require a closer look due to their potential privacy implications. These activities include:

• Profiling, where personal data is analyzed to predict behaviors, preferences, characteristics, or needs;
• Targeted advertising, which involves using personal data to deliver ads specifically tailored to individuals or groups;
• The sale of personal data, defined as disclosing personal data in exchange for monetary or other valuable consideration,
• Processing sensitive personal data, which includes handling data categories considered particularly sensitive, such as race, religion, health information, biometrics, or sexual orientation.

Businesses should evaluate the nature, scope, context, and purpose of the data processing to fully understand the potential impact on individuals. Identifying risks to individuals, such as discrimination, reputational damage, or financial loss, is what you need to assess.

Assessing the safeguards in place, such as data minimization practices, encryption, or access controls, can help mitigate identified risks. You also need to weigh the benefits of processing against the potential risks.

To effectively manage these assessments, best practices include documenting the assessment process, outlining the risks identified, evaluating safeguards, and recording the decisions made. It's also important to regularly review and update assessments to reflect changes in business practices or the regulatory environment.

Enforcement of the Colorado CPA

Consumers can file complaints with the Attorney General's office or their local district attorney. The Attorney General or District Attorney may investigate the complaint and take appropriate action, including issuing warnings, seeking civil penalties, or filing lawsuits.

Individuals can also file private lawsuits for injunctive relief, and the NCLC can bring lawsuits on behalf of consumers.

This means that the enforcement of the Colorado Privacy Act (CPA) involves a collaboration between several entities:

The Colorado Attorney General (AG) holds the primary responsibility for enforcing the CPA. They can investigate potential violations, issue subpoenas, and take legal action against violators, including seeking civil penalties of up to $5,000 per violation.

In addition, the Attorney General's Office publishes rules and guidance to further clarify the CPA's requirements.

District attorneys have concurrent authority to enforce the CPA within their jurisdictions. They can investigate complaints and take legal action, similar to the Attorney General.

Finally, private individuals can sue for injunctive relief if they believe the CPA has been violated. They cannot seek monetary damages in private lawsuits under the CPA.

The National Consumer Law Center (NCLC) also plays a role in the CPA enforcement landscape. It has the right to bring lawsuits on behalf of Colorado residents to enforce the CPA. The NCLC can seek both injunctive relief and monetary damages in these lawsuits.