The Colorado Privacy Act
The Colorado Privacy Act goes into effect on July 1, 2023. It will bring comprehensive data privacy regulation that will compel organizations to make wholesale changes to how they handle people’s sensitive information online. The bipartisan bill that received significant support in both chambers of the Colorado legislature was signed into law on July 8, 2021.
The passage of the Colorado Privacy Act makes it the third U.S. state to pass privacy legislation. Experts find the Colorado Privacy Act notable, in part, because of how soon it followed privacy laws that were passed in California and Virginia.
Colorado moved quickly to enact this legislation and acknowledges that the law will require fine-tuning. The model for this is California’s legislation, The California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. Updates were quickly made, and the current California legislation will be partially replaced by the California Privacy Rights Act (CPRA) in 2023.
Let’s jump in and learn:
- Protecting Personal Data Privacy
- Overview of the Colorado Privacy Act
- Scope of the Colorado Privacy Act
- Exemptions in the Colorado Privacy Act
- Consumer Rights in the Colorado Privacy Act
- Obligations in the Colorado Privacy Act
- Enforcement of the Colorado Privacy Act
- The Colorado Privacy Act Aligns with Other Privacy Laws
Protecting Personal Data Privacy
Colorado lawmakers initially introduced the Colorado Privacy Act in the Senate in March 2021. Colorado Senate Bill 21-190 (S.B. 21-190) closely mirrored the Washington Privacy Act (Senate Bill 5062 or SB 5062 - 2021-22) and the Virginia Consumer Data Protection Act 2021 (CDPA). The Senate Business, Labor, and Technology Committee unanimously passed the bill out of committee after making a number of pro-business changes.
Most of these changes were removed in the significantly amended version of the bill that was passed by the Colorado Senate in May 2021. The Colorado House of Representatives made a few additional amendments before passing the bill in June 2021. A month later, the Governor signed the bill into law.
The catalyst for the Colorado Privacy Act was pressure to do more to protect consumers’ privacy. The European Union’s General Data Protection Regulation (GDPR) is regarded as the leader in data protection and privacy with other countries following suit with legislation, such as Australia’s Privacy Act, Argentina’s Personal Data Protection Law, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
California’s legislation was the first in the U.S., but some feel it did not go far enough, as loopholes have been exploited to share data with third parties for targeted advertising. The Colorado Privacy Act goes beyond California’s law by requiring an option for consumers to opt out of having their personal information shared to create consumer profiles.
Overview of the Colorado Privacy Act
The Colorado Privacy Act establishes and protects the privacy rights of Colorado residents and applies responsibilities to organizations conducting operations in the state. These privacy rights direct how organizations control, store, process, and maintain personally identifiable information (PII) or personal data.
Under the Colorado Privacy Act, personal data is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” The Colorado Privacy Act also protects sensitive data as a separate category of personal data. Sensitive data includes personal data that reveals:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data that may be processed to uniquely identify an individual
- Personal data from a child under the age of 13
It is noteworthy that the Colorado Privacy Act’s definition of sensitive data does not include precise geolocation data. In addition, it does not include:
- De-identified data
Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to such a person.
- Publicly available information
Information that is lawfully made available from federal, state, or local government records and information that an organization has a reasonable basis to believe the consumer has lawfully made available to the general public.
Scope of the Colorado Privacy Act
The Colorado Privacy Act applies to legal entities that conduct business or produce products or services that intentionally target Colorado residents. It is applicable to organizations that have a physical presence or are headquartered in the state, as well as organizations that engage with Colorado residents via a website or an application.
The Colorado Privacy Act also applies to organizations that either control or process personal data of more than 100,000 consumers per calendar year, derive revenue, or receive a discount on the price of goods or services from the sale of personal data. It also applies to organizations that control or process the personal data of at least 25,000 consumers. These stipulations follow California and Virginia laws to make compliance easier on smaller businesses.
Key Roles Under the Colorado Privacy Act
Under the Colorado Privacy Act, the definition of a consumer is more narrow than the CCPA. It only includes a Colorado resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
The Colorado Privacy Act defines a data controller as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. By this definition, a data controller could be a company, but is not explicitly limited to businesses.
Unlike privacy laws in California and Virginia, the Colorado Privacy Act does not provide exemptions for non-profit organizations. The Colorado Privacy Act applies to all entities that meet certain thresholds regarding the amount of consumers’ data they process or control.
A data processor, under the Colorado Privacy Act, is a natural or legal entity that processes personal data on behalf of a controller. While most data processors are corporate entities, they can also be another third party.
Exemptions in the Colorado Privacy Act
The Colorado Privacy Act has a number of exemptions for certain listed entities, types of information, and specific activities.
Personal data already governed by various state and federal laws are exempt from the Colorado Privacy Act. This includes entities that are covered by:
- Governmental entities in Colorado
- Children’s Online Privacy Protection Act (COPPA)
- Driver’s Privacy Protection Act (DPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Other organizations that are exempt from the Colorado Privacy Act are:
- Consumer reporting agencies
- Higher education institutions
- Entities that collect and/or process data for:
- Colorado health insurance law purposes
- Employment records purposes
- Entities that process de-identified personal data
- Judicial departments
- Public utilities
Consumer Rights in the Colorado Privacy Act
Consumer rights under the Colorado Privacy Act are relatively standard compared to other laws.
Five Rights Afforded Consumers Under the Colorado Privacy Act
1. Right of access
Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
2. Right to data portability
Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily. And, to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format. Consumers may exercise that right up to two times per calendar year.
3. Right to correction
Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
4. Right to deletion
Consumers have the right to have organizations delete personal data that has been collected.
5. Right to opt-out
Consumers have the right to opt-out of the processing of personal their personal data for purposes of:
- Targeted advertising
- The sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
Rights Not Afforded to Consumers Under the Colorado Privacy Act
The Colorado Privacy Act does not give consumers the right to private action (i.e., the ability to sue organizations for damages or injury in the event of an alleged violation). In addition, consumer rights do not apply to pseudonymous data if the organization can demonstrate that the information necessary to identify the consumer is kept separately and if the data is subject to effective technical and organizational controls that prevent the organization from accessing such information.
Obligations in the Colorado Privacy Act
Organizations subject to the Colorado Privacy Act are compelled to fulfill a number of duties, including the following.
Duty of Care
Organizations must take reasonable measures to secure data from unauthorized access. This includes protecting data during storage and use.
Duty of Data Minimization
Collect only consumers’ personal data that is adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose.
Duty of Purpose Specification
Make it clear to consumers why their personal data is being collected and for what specific purposes.
Duty of Transparency
Organizations must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- Categories of personal data collected or processed by the organization or a processor
- Purposes for which the categories of personal data are processed
- Estimate of how long the organization can or will maintain the consumer’s personal data
- Explanation of how and where consumers may exercise their rights*
- Categories of personal data that the controller shares with third parties
- Categories of third parties, if any, with which an organization shares personal data
Duty Regarding Sensitive Data
Sensitive data may not be processed without first obtaining the consumer’s consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian.
Duty to Avoid Secondary Use
Organizations may not process consumers’ personal data for purposes that are not reasonable or necessary to the communicated purpose.
Duty to Avoid Unlawful Discrimination
Organizations may not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers.
Duty to Conduct Data Protection Assessments
Data protection assessments must be conducted for each personal data processing activity that presents a “heightened risk of harm to consumers” before engaging in that data processing. Upon request, organizations must make these data protection assessments available to the Attorney General’s office.
A “heightened risk of harm to a consumer” includes:
- The processing of personal data for purposes of targeted advertising
- The processing of personal data for purposes of profiling if profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment or disparate impact of consumers
- Financial or physical injury to consumers
- Physical or other intrusions on consumers’ privacy
- Other substantial injuries to consumers
- The sale of personal data
- The processing of sensitive data
Contractual Requirements Under the Colorado Privacy Act
The Colorado Privacy Act requires organizations to have contracts with any processors. This contract governs the processor’s activities on behalf of the controller and must include the following.
- Processing instructions to which the processor is bound
- Nature and purpose of processing
- Type of data subject to, and duration of, the processing.
- Details about processors’ and their subcontractors’ confidentiality obligations
- Process for organizations to object to processors’ subcontractors
- Security requirements for both parties
- Plan for processors to delete or return all personal data to the controller upon completion of services
- Specifications for audits by the organization that includes information necessary to demonstrate compliance with the contract
*How and Where Consumers May Exercise Their Rights
According to the Colorado Privacy Act, organizations have to respond to consumers within 45 days if a consumer sends a privacy-related request. There are exceptions as well as the possibility of extending this window, which must include an explanation of why the extension is required. If an organization declines to fulfill a request, the consumer must be given an explanation. Acceptable reasons for denying a request include:
- if the consumer is mistaken
- the company does not have any data about them or cannot be reasonably authenticated for security before revealing the personal information
It is also generally acceptable to deny an excessive number of requests that are received in a short time.
Enforcement of the Colorado Privacy Act
The Colorado Privacy Act is enforced by the Colorado Attorney General’s Office and district attorneys. If a Colorado Privacy Act violation is alleged and appears reasonable or can be proved, the Attorney General’s office will send a notice to the organization. The entity will be given the option to remediate the issue.
Notably, the Colorado Privacy Act gives organizations 60 days from receipt of the notification to correct the violation. Known as a cure period, the Colorado Privacy Act offers organizations double the time allowed by the Virginia Consumer Data Protection Act 2021 (CDPA), California Consumer Privacy Act of 2018 (CCPA), and the California Privacy Rights Act of 2020 (CPRA).
Violations of the Colorado Privacy Act are subject to civil penalties as a deceptive trade practice and are governed by the Colorado Consumer Protection Act. The penalties can be steep, ranging from $2,000 to $20,000 per violation. Violations against an elderly person (i.e., sixty years of age or older) can be from $10,000 to $50,000 per violation. The Colorado Privacy Act has a cap for damages of $3 million for a related series of violations.
Because of the Consumer Protection Act oversight, Colorado Privacy Act violations can also lead to criminal charges. This is uncommon in privacy law internationally; however, there is precedent. For example, violations of South Africa’s Protection of Personal Information Act (POPIA) can result in prison sentences of up to 10 years.
The Colorado Privacy Act Aligns with Other Privacy Laws
Organizations already compliant with the CCPA, CPRA, and/or CDPA, or even the GDPR, will not have a significant amount of work to do to comply with the Colorado Privacy Act. While the legislation does have differences, the bulk of its directives are aligned with those privacy laws.
However, experts advise organizations to carefully review the requirements to ensure organizational compliance. It is also recommended that organizations regularly conduct data audits, risk assessments, and reviews of their privacy policies and operations.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 21st March, 2022