About the author
Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.
On July 7, 2021, Colorado Governor Jared Polis signed into law S.B. 190, now known as the Colorado Privacy Act (the “CPA” or the “Act”). The Act represents the third comprehensive, rights-based data privacy law passed at the U.S. state level. Overall, the new law shares much in the way of protection of personal data with the CCPA/CPRA and Virginia’s recent addition, the CDPA (or VCDPA). During the 2021 legislative sessions of the states, approximately 22 data protection-related bills have thus far been proposed, but only two – those of Virginia and Colorado — have been signed into law. Notably, the proposed Washington (state) Privacy Act failed to pass both houses of the legislature for the third session in a row, owing to the battle over including a private right of action for violations of the proposed statute. This battle is common in legislatures, pitting business interests against privacy advocates who desire the additional enforcement power that the plaintiff’s bar provides. I’ll discuss this more in a future blog post. Enforcement of the Act begins on July 1, 2023.
In this analysis, I’ll summarize the scope of the new law and discuss the prospects for more laws like this one at the state and federal level.
The CPA defines “personal data” very broadly: “information that is linked or reasonably linkable to an identified or identifiable individual” and “does not include de-identified data or publicly available information.” Unlike the CCPA/CPRA, the CPA does not give a list of examples of personal data. Employee data is not covered, nor is business-to-business communications.
The statute, like the CPRA, VCDPA, and GDPR, calls out “sensitive data” as a separate class of personal data. It not only includes items like racial/ethnic origin and genetic/biometric data for the purpose of identifying someone, but also the personal data of a known child.
Businesses Subject to the Act
A business that conducts business in Colorado or “delivers commercial products or services that are intentionally targeted to residents of Colorado” is subject to the Act if it:
- (I) Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
- (II) derives revenue … from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
This jurisdictional threshold lacks a minimum dollar value of business revenue, in contrast to the CCPA/CPRA, but matches the CPRA’s minimum of collecting or processing the personal data of at least 100,000 residents/consumers. The other threshold is somewhat of a mashup of the CCPA/CPRA’s (deriving 50% of its revenue from the sale of personal information) and the VCDPA’s (control or process the personal data of at least 25,000 consumers).
As with the CCPA/CPRA and VCDPA, the CPA only applies to businesses and, in principle, applies to businesses outside of the U.S.
The CPA grants to Colorado residents a core set of rights with respect to their personal data that are essentially the same as with the other rights-based statutes: the rights of access to their personal data and to amendment or deletion, as well as the right to opt out of the sale of that data and to opt out of receiving targeted advertising. Data portability is also among that core. These five rights are becoming the core rights offered by just about all proposed data protection legislation.
Business and Third-Party Responsibilities
The CPA is noteworthy in that it not only cites duties of businesses (“controllers”) but also goes into detail as to the duties of their third-party processors. As to controllers, core duties include transparency of privacy practices, purpose specification, data minimization, avoidance of secondary use of personal data (i.e., purpose limitation), and data security. Rounding out these duties are (1) the avoidance of unlawful discrimination; (2) the requirement of obtaining consent for the use of sensitive data; and (3) the necessity for a risk assessment when there is a “heightened risk of harm to a consumer.” As to this last point, “heightened risk” includes the sale of personal data, its processing for targeted advertising or profiling, and the processing of sensitive personal data. The use of processors must be governed by a contract that articulates the processing instructions, the type of data involved and the duration of its processing, as well as many other details. The processor must also assist the controller in meeting its obligations under the Act.
Generally, there are two types of exemptions to rights-based data protection laws: regulatory regime-based and institution based. Under the CCPA/CPRA, for example, personal information that is subject to certain federal-level statutes is exempt from the law, such as information subject to HIPAA or GLBA. In contrast, under the VCDPA, not only is GLBA-regulated data exempt, but so are financial institutions that are subject to GLBA (the same applies to HIPAA). This difference is important for those financial institutions subject both to the CCPA/CPRA and GLBA; they still must adhere to the CCPA/CPRA requirements for non-GLBA data, such as marketing data collected from consumers, while the same is not true under the VCDPA. The Colorado Act takes this latter approach, exempting financial institutions subject to GLBA and HIPAA and GLBA- and HIPAA-regulated data.
Under the Act, a consumer may authorize another person to opt them out of certain types of processing (targeted advertising, profiling) or of sale of personal data. That opt out can be effectuated by “a web link indicating a preference or browser setting, browser extension, or global device setting.” This is an example of the use of so-called Global Privacy Controls (or GPCs) and is particularly relevant, given that the California Attorney General recently updated its CCPA FAQ page to imply that it is now enforcing consumer use of GPCs. The challenge with relying on GPCs is much the same as with a similar browser-based technology introduced in the late 2000’s: Do Not Track (or DNT). The principle behind DNT was that once a website received a DNT signal from a consumer’s browser, the website owner would automatically discontinue electronic tracking of that device. The problem with both of these privacy mechanisms is that not all web browsers have adopted their use and many, if not most, websites have not, either. As a result, DNT has been a failure. It remains to be seen whether the same fate will befall GPCs or whether vigorous enforcement will change that dynamic.
The CPA will be enforced as a deceptive trade practice by the state’s Attorney General or local district attorneys, and potential fines are as they would be under the Colorado Consumer Protection Act: up to $2,000 per violation; with a $500,000 limit. Offenders are to be given 60 days to cure a violation before state or local officials commence enforcement, though this opportunity to cure will sunset on January 1, 2025. Unlike the CCPA/CPRA, there is no private right of action under the CPA.
The CPA and the (Near) Future of Data Protection
Overall, there aren’t any surprises in this new law and for those controllers and processors who are already compliant with the CCPA, the additional effort needed for complying with the CPA should be minimal. What has been surprising is how many rights-based data protection bills have been proposed during this legislative session and how few – exactly two – have made their way into law. This is in contrast to the 30-40 cybersecurity and breach notification bills that have become law over the previous two sessions (one of which was Colorado’s). Based on my interviews with legislators, the resistance from business interests does not merely stem from a proposed private right of action, but rather from the overall additional compliance efforts (e.g., fulfilling data access requests). It may be that, absent a data privacy scandal that is truly egregious, we will not see any new data protection laws at the state level until next year at the earliest. In the meantime, given the number of businesses nationwide involved in commerce in California, the CCPA has effectively become our national data protection standard. With the CPRA’s heightened standards coming online at the end of 2022, those businesses already have plenty of work to do in order to become compliant. I am periodically asked about the prospect of a federal general data protection law that is our equivalent of the GDPR. The short answer is that data protection at the federal level is not currently a legislative priority, nor has it been over the last two decades, and I don’t expect that to change. For now, I believe the focus of data protection professionals should be on understanding where personal data exists throughout the enterprise and shoring up security controls– two areas that can always use improvement.