On March 19, 2021, Senators Rodriguez and Lundeen introduced the Colorado Privacy Act (“CPA”) bill, which would provide additional protections for the personal data of state residents. If passed, the bill would have a far-reaching impact on businesses collecting and using personal information about Colorado residents, whether operating inside or outside the state. We will continue to monitor developments, but if you have any questions or would like to discuss specific issues in the bill, please reach out to Camila Tobón.
DGS will be hosting a webinar to discuss the bill on Tuesday, April 13, 2021 from noon to 1 p.m. You can register here.
To whom does the CPA bill apply?
The CPA aims to protect the personal data of “consumers,” which means a natural person who is a Colorado resident acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
The CPA refers to “controllers” and “processors.” A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of the controller. The CPA bill also introduces the concept of a “third party,” which is defined as “a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.”
To be subject to the CPA, legal entities would have to:
What does the CPA bill protect?
The CPA bill protects “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.
The CPA bill excepts certain data sets, including:
The CPA bill also includes an entity-level exemption for financial institutions or affiliates of a financial institution that are subject to the GLBA. Any personal data processed by these entities would be out of scope of the CPA bill, not just the personal data handled pursuant to the GLBA and its implementing regulations.
Does the CPA define “sale” of personal data?
The CPA defines “sale” as the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties. It includes several exceptions:
What consumer rights does the CPA bill provide?
The CPA would provide consumers with the following rights:
Controllers would have 45 days to respond to requests to exercise consumer rights, which could be extended to 90 days where reasonably necessary. Controllers must provide information free of charge except that a fee (to be calculated pursuant to the state public records statute) may be charged for the second or subsequent request within a twelve-month period.
The CPA bill requires controllers to establish an internal process for consumers to appeal a refusal to act on a request to exercise any of their consumer rights. If the consumer has concerns about the result of the appeal, they can contact the Attorney General.
What does the CPA bill require of “controllers”?
Controllers must provide consumers with a privacy notice describing the categories of personal data collected or processed, the purposes for processing, an estimate of how long personal data will be retained, how and where consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data are shared. If a controller sells personal data to third parties or processes personal data for targeted advertising, it must disclose such sale or processing as well as the manner in which the consumer may exercise the right to object to such sale or processing.
Other requirements imposed on controllers include:
Controllers must get consent to process “sensitive data,” which include:
Controllers must also conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, which include targeted advertising or profiling; the sale of personal data; and sensitive data processing. Such data protection assessments must be made available to the Attorney General upon request.
What does the CPA bill require of “processors”?
Processors must process personal data according to the controller’s instructions and must assist controllers with the fulfillment of their obligations under the CPA. Processing by a processor must be governed by a binding contract setting out the processing instructions to which the processor is bound.
How would the CPA be enforced?
The CPA would be enforced by the Colorado Attorney General and District Attorneys. Violators would be subject to an injunction and a civil fine as specified in Colo. Rev. Stat. § 6-1-112 (setting out civil penalties in various contexts). There is no private right of action in the CPA bill.
When would the CPA take effect?
The law would take effect on January 1, 2023.