By Joshua A. Mooney, Kennedys
The Colorado Privacy Act (“ColoPA” or “Act”) has been sent to Governor Jared Polis’s office to be signed into law, making Colorado the third state to enact comprehensive privacy legislation (coming behind California and Virginia). Once signed, the Act will take effect on July 31, 2023. However, its requirements are substantive, having GDPR-like provisions addressing data security, consumers’ data rights, and mandatory contracting requirements/clauses. For a quick read, here is a brief snapshot of some highlights of the Act:
1. Scope, enforcement and penalties
The Act applies to companies that conduct business or produce products or services intentionally targeted to Colorado residents and either: (a) control or process personal data of more than 100,000 consumers annually; or (b) derive any revenue from the sale of personal data, and control or process the personal data of at least 25,000 consumers. (6-1-1304.(1).)
The ColoPA broadly defines “personal data” as (a) “information that is linked or reasonably linked to an identified or identifiable individual,” but does not include “de-identified data or publicly available information.” (6-1-1303.(17).) An “identified or identifiable individual” is “an individual who can be readily identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.” (6-1-1303.(16).) The Act broadly also defines “sell” or “sale” as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” (6-1-1303.(23).)
There is no private right of action. However, the Act provides district attorneys with enforcement rights. Thus, companies may see enforcement of Colorado’s privacy legislation at both the state and local levels, and with greater penalties, too, with penalties topping at $20,000 per violation.
2. Duties of a controller
Briefly, the ColoPA imposes upon a controller the duties of transparency, specified purpose, data minimization, avoidance of secondary use, care, anti-discrimination, and consent when using sensitive data. (6-1-1308.) A detailed description of these duties is as follows:
Transparency. Controllers must provide consumers with “a reasonably accessible, clear and meaningful privacy notice” that includes:
- (i) categories of personal data collected and/or processed;
- (ii) purposes for which personal data is processed;
- (iii) how a consumer may exercise his or her rights, including right of appeal;
- (iv) categories of personal data shared with third parties;
- (v) categories of third parties with whom personal data is shared; and
- (vi) if a controller sells personal data or uses it for “targeted advertising,” the controller must “clearly and conspicuously” disclose the sale or processing as well as the consumer’s right to opt out.
Purpose Specification. The controller must specify the purposes for which personal data is collected and processed.
Data Minimization. The controller’s collection of personal data “must be adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
No Secondary Use. A controller may not process personal data that is “not reasonably necessary in relation to the specified purposes for which the data are processed, unless the controller first obtains the consumer’s consent.” This is the mirror image of the duty of data minimization.
Duty of Care. The controller must undertake “reasonable measures to secure personal data during both store and use from unauthorized acquisition” that are “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
Anti-Discrimination. The controller may not violate any state or federal discrimination laws in the collection or processing of personal data.
Consent to Process Sensitive Data. A controller may not process sensitive data without first obtaining the consumer’s consent or, if the consumer is a child, the consent of the child’s parent or legal guardian. The Act defines “sensitive data” as “(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data form a known child.” (6-1-1303.(24).)
Data security. Controllers and processors alike also must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.” (6-1-1305.(4).)
3. Mandatory data processing agreements
Much like when effecting data transfers under GDPR, the ColoPA in effect requires data processing agreements that have mandatory contractual provisions. (6-1-1305.(5).) Under the Act, any data transfer to a processor must be governed by a written contract that:
- Details processing instructions, including the nature and purpose of the processing;
- Identifies the types of personal data to be processed and the duration of such processing; and
- Imposes duties of confidentiality.
“[T]aking into account the context of the processing,” the contract also must require the parties to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures,” including that the processor:
- If a sub-processor is used, require the sub-processor to adhere to the same security requirements and also provide the controller with advance notice to give the controller opportunity to object to the sub-processor’s use;
- At the controller’s choice, delete or return all personal data at the end of the contract;
- Provide the controller all information necessary to demonstrate compliance with the ColoPA requirements; and
- Permit “and contribute to, reasonable audits and inspections” by the controller or its representative.
(6-1-1305.(5).) For audit requirements, with the controller’s consent, a processor may retain, at its own cost, an independent auditor to conduct an annual audit of its “policies and technical and organizational measures” using “an appropriate and accepted” framework or control. (Id.) Controllers and processors cannot contract out of their ColoPA liability. (6-1-1305.(6).)
4. Consumer rights
Consumers have rights of access, correction, deletion, and portability over their personal data. (6-1-1306.(1)(b) – (e).) They also have the right to opt-out from the processing of their personal data for targeted advertising, sale of personal data, or profiling. (6-1-1306.(1)(a).) Controllers that process personal data for targeted advertising or the sale of personal data must provide “a clear and conspicuous method to exercise the right to opt out.” (6-1-1306.(1)(a)(III).)
Controllers have 45 days to respond to a consumer request, with the right to a 45-day extension “where reasonably necessary.” (6-1-1306.(2)(a).) The controller also must establish an “internal process” to allow consumers the right to appeal any decision not to take action in response to a consumer request. (6-1-1306.(3)(a).)
A controller need not comply with consumer requests if the personal data is de-identified. (6-1-1307.(1).) The Act defines “de-identified data” as “data that cannot be reasonably used to infer information about, to otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possess the data: (a) takes reasonable measures to ensure that the data cannot be associated with an individual; (b) publically commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with these same requirements. (6-1-1303.(11).)
Rights, other than the right to opt out, do not apply to pseudonymous data where the controller can demonstrate that the information necessary to identify the consumer is kept separately and is inaccessible to the controller. (6-1-1307.(3).) The Act defines “pseudonymous data” as “personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data re not attributed to a specific individual.” (6-1-1303.(22).)
5. Some differences with California and Virginia law
A more detailed comparison of the Colorado Privacy Act with the California Privacy Rights Act and Virginia Consumer Data Protection Act is forthcoming. In the meantime, here are some notable differences:
- Like the Virginia law, and unlike California, the ColoPA exempts personal information generated within the employment and business-to-business contexts.
- While all three privacy acts have thresholds to apply to companies that collect annual the personal data of 100,000 consumers, the ColoPA also applies to companies that derive any revenue from data sales and collect the personal data of 25,000 Colorado consumers. (Virginia law applies to companies that derive more than 50% of their gross revenue from the sale of personal data and collect the personal data of 25,000 Virginia consumers. The CPRA’s other thresholds are for companies that have greater than $25 million in gross revenue, or derive at least 50% of annual revenue from sharing or selling personal information of California consumers.)
- The ColoPA applies to nonprofits,” unlike California or Virginia.
- The ColoPA provides district attorneys with enforcement rights.
- The ColoPA has higher penalties. Compare $20,000 per violation (ColoPA) with $7,500 per violation (California and Virginia law).
Joshua Mooney is a partner at Kennedys in Philadelphia and a member of the law firm’s global cybersecurity and data compliance team.