On June 8, 2021, the Colorado Senate passed the Colorado Privacy Act (“CPA”), which will become state law should Governor Jared Polis approve the CPA within 30 days. If passed as expected, Colorado will become the third state in the United States to pass a comprehensive privacy rights law.
Companies doing business in the state should update their privacy frameworks to comply with CPA, as it shares similarities with existing data privacy laws, but has notable differences which require a flexible approach.
Who is subject to CPA?
The CPA applies to companies that conduct business in Colorado or provide products or services that are intentionally targeted to residents of Colorado and that either:
- Control or process the personal data of 100,000 or more Colorado residents annually, or
- Derive revenue or receive a discount on the price of goods or services from the “sale” of personal data;
- Process or control the personal data of 25,000 or more Colorado residents.
Note that the lack of a monetary threshold is a significant difference between the CPA and the California Consumer Privacy Act (“CCPA”).
Are there exemptions to CPA?
Yes. The CPA includes various exemptions, including those related to
- Health care entities and health data, such as protected health information under HIPAA, patient identifying information maintained by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research; and
- Personal data collected for the purposes of:
- Gramm-Leach-Bliley Act (“GLBA”),
- Driver’s Privacy Protection Act (“DPPA”),
- Children’s Online Privacy Protection Act (“COPPA”),
- Family Educational Rights and Privacy Act (“FERPA”), and
- Data maintained for employment records purposes
Additionally, while a “consumer” for purposes of CPA means a “natural person who is a resident of Colorado”, it explicitly does not include “an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context” as being considered a “consumer”.
How can companies comply with CPA?
While similar to CCPA and the Virginia Consumer Data Prottttt Act (“VCDPA”), CPA has some notable differences that companies should be aware of when considering their approach to data privacy in the state.
Definition of ‘Sale’
The definition of “sale” is considered to be an exchange be for the purpose of (1) third-party licensing or (2) selling personal data to other third parties. It requires monetary or other valuable consideration, which is similar to the VCDPA and different than CCPA. For purposes of CPA, it is not a sale if “a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party.” Second, it is not a sale if the personal data is “intentionally made available to the general public via a channel of mass media and the consumer did not restrict to a specific audience.” This exception appears to exclude activities such as data scraping.
Right to Opt Out of Processing
The CPA contains the right to opt out of the processing of personal data in three instances: (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The CPA requires providing consumers with “clear notice” and “the opportunity to opt out of processing” of sensitive data. This is significantly narrower than the original bill as proposed, which would require companies to obtain a consumer’s affirmative consent prior to processing sensitive data.
Universal Opt-Out Mechanism
Effective January 1, 2024, a company that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers to exercise the right to opt out of the processing of such data through a “user-selected universal opt-out mechanism.” This will have significant implications on the marketing industry, and for companies using cookies and tracking scripts to collect consumer data. The CPA sets forth a number of requirements for those regulations, including requiring the opt-out to represent the consumer’s affirmative consent, to be consumer-friendly and to accurately authenticate the consumer.
What are the ramifications for noncompliance?
The Colorado attorney general’s office and state district attorneys will enforce the CPA. The CPA provides for civil penalties of not more than $2,000 per violation, with a maximum of $500,000 in total for any related series of violations. Notably, the CPA adds a right to cure that requires the attorney general or district attorneys to first notify a business of an alleged violation prior to imposing a penalty, with that business having 60 days to cure the violation. There is no express private right of action for Colorado residents
When is the CPA going into effect?
Most of the CPA’s provisions are expected to go into effect July 1, 2023.
How Can Clym Help? Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.