BY RYAN TULLY
June 30, 2023
On July 7, 2021, Colorado Governor Jared Polis signed into law S.B. 190, now known as the Colorado Privacy Act (the “CPA” or the “Act”). The Act represents the third comprehensive, rights-based data privacy law passed at the U.S. state level.
Overall, the new law shares much in the way of protection of personal data with the CCPA/CPRA and Virginia’s recent addition, the CDPA (or VCDPA). Read on to learn about enforcement of the new law and the prospects for more laws like this one at the state and federal level.
The CPA defines “personal data” very broadly: “information that is linked or reasonably linkable to an identified or identifiable individual” and “does not include de-identified data or publicly available information.” Unlike the CCPA/CPRA, the CPA does not give a list of examples of personal data. Employee data is not covered, nor is business-to-business communications.
The statute, like the CPRA, VCDPA, and GDPR, calls out “sensitive data” as a separate class of personal data. It not only includes items like racial/ethnic origin and genetic/biometric data for the purpose of identifying someone, but also the personal data of a known child.
Businesses Subject to the Act
A business that conducts business in Colorado or “delivers commercial products or services that are intentionally targeted to residents of Colorado” is subject to the Act if it:
- (I) Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
- (II) derives revenue … from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
This jurisdictional threshold lacks a minimum dollar value of business revenue, in contrast to the CCPA/CPRA, but matches the CPRA’s minimum of collecting or processing the personal data of at least 100,000 residents/consumers. The other threshold is somewhat of a mashup of the CCPA/CPRA’s (deriving 50% of its revenue from the sale of personal information) and the VCDPA’s (control or process the personal data of at least 25,000 consumers).
As with the CCPA/CPRA and VCDPA, the CPA only applies to businesses and, in principle, applies to businesses outside of the U.S.
The CPA grants to Colorado residents a core set of rights with respect to their personal data that are essentially the same as with the other rights-based statutes: the rights of access to their personal data and to amendment or deletion, as well as the right to opt out of the sale of that data and to opt out of receiving targeted advertising. Data portability is also among that core. These five rights are becoming the core rights offered by just about all proposed data protection legislation.
Business and Third-Party Responsibilities
The CPA is noteworthy in that it not only cites duties of businesses (“controllers”) but also goes into detail as to the duties of their third-party processors. As to controllers, core duties include transparency of privacy practices, purpose specification, data minimization, avoidance of secondary use of personal data (i.e., purpose limitation), and data security. Rounding out these duties are (1) the avoidance of unlawful discrimination; (2) the requirement of obtaining consent for the use of sensitive data; and (3) the necessity for a risk assessment when there is a “heightened risk of harm to a consumer.” As to this last point, “heightened risk” includes the sale of personal data, its processing for targeted advertising or profiling, and the processing of sensitive personal data. The use of processors must be governed by a contract that articulates the processing instructions, the type of data involved and the duration of its processing, as well as many other details. The processor must also assist the controller in meeting its obligations under the Act.
Generally, there are two types of exemptions to rights-based data protection laws: regulatory regime-based and institution based. Under the CCPA/CPRA, for example, personal information that is subject to certain federal-level statutes is exempt from the law, such as information subject to HIPAA or GLBA. In contrast, under the VCDPA, not only is GLBA-regulated data exempt, but so are financial institutions that are subject to GLBA (the same applies to HIPAA). This difference is important for those financial institutions subject both to the CCPA/CPRA and GLBA; they still must adhere to the CCPA/CPRA requirements for non-GLBA data, such as marketing data collected from consumers, while the same is not true under the VCDPA. The Colorado Act takes this latter approach, exempting financial institutions subject to GLBA and HIPAA and GLBA- and HIPAA-regulated data.
Under the Act, a consumer may authorize another person to opt them out of certain types of processing (targeted advertising, profiling) or of sale of personal data. That opt out can be effectuated by “a web link indicating a preference or browser setting, browser extension, or global device setting.” This is an example of the use of so-called Global Privacy Controls (or GPCs) and is particularly relevant, given that the California Attorney General recently updated its CCPA FAQ page to imply that it is now enforcing consumer use of GPCs. The challenge with relying on GPCs is much the same as with a similar browser-based technology introduced in the late 2000’s: Do Not Track (or DNT). The principle behind DNT was that once a website received a DNT signal from a consumer’s browser, the website owner would automatically discontinue electronic tracking of that device. The problem with both of these privacy mechanisms is that not all web browsers have adopted their use and many, if not most, websites have not, either. As a result, DNT has been a failure. It remains to be seen whether the same fate will befall GPCs or whether vigorous enforcement will change that dynamic.
The CPA will be enforced as a deceptive trade practice by the state’s Attorney General or local district attorneys, and potential fines are as they would be under the Colorado Consumer Protection Act: up to $2,000 per violation; with a $500,000 limit. Offenders are to be given 60 days to cure a violation before state or local officials commence enforcement, though this opportunity to cure will sunset on January 1, 2025. Unlike the CCPA/CPRA, there is no private right of action under the CPA.
The CPA and the (Near) Future of Data Protection
Overall, there aren’t any surprises in this new law and for those controllers and processors who are already compliant with the CCPA, the additional effort needed for complying with the CPA should be minimal. What has been surprising is how many rights-based data protection bills have been proposed and how few – have made their way into law.
As we think about the prospect of a federal general data protection law that is our equivalent of the GDPR, many believe data protection at the federal level is not currently a legislative priority, nor has it been over the last two decades.
For now, the focus of data protection professionals should be on understanding where personal data exists throughout the enterprise and shoring up security controls– two areas that can always use improvement.