On March 19, 2021, Senators Rodriguez and Lundeen introduced the Colorado Privacy Act (“CPA”) bill, which would provide additional protections for the personal data of state residents. If passed, the bill would have a far-reaching impact on businesses collecting and using personal information about Colorado residents, whether operating inside or outside the state. We will continue to monitor developments, but if you have any questions or would like to discuss specific issues in the bill, please reach out to Camila Tobón.
DGS will be hosting a webinar to discuss the bill on Tuesday, April 13, 2021 from noon to 1 p.m. You can register here.
To whom does the CPA bill apply?
The CPA aims to protect the personal data of “consumers,” which means a natural person who is a Colorado resident acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
The CPA refers to “controllers” and “processors.” A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of the controller. The CPA bill also introduces the concept of a “third party,” which is defined as “a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.”
To be subject to the CPA, legal entities would have to:
- Conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents; and
- Control or process the personal data of 100,000 consumers or more during a calendar year; or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.
What does the CPA bill protect?
The CPA bill protects “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.
The CPA bill excepts certain data sets, including:
- “Protected health information” and other listed patient and health information, as well as information maintained in the same manner by covered entities, business associates, health care facilities or health care providers, and a program or qualified service organization as defined in 42 C.F.R. § 2.11;
- Personal data bearing on a consumer’s creditworthiness that is regulated by the Fair Credit Reporting Act and processed by a consumer reporting agency, a furnisher of information, or a user of a consumer report;
- Personal data collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA);
- Personal data collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
- Personal data regulated by the federal Children’s Online Privacy Protection Act and the federal Family Educational Rights and Privacy Act; and
- Data maintained for employment records purposes.
The CPA bill also includes an entity-level exemption for financial institutions or affiliates of a financial institution that are subject to the GLBA. Any personal data processed by these entities would be out of scope of the CPA bill, not just the personal data handled pursuant to the GLBA and its implementing regulations.
Does the CPA define “sale” of personal data?
The CPA defines “sale” as the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties. It includes several exceptions:
- Disclosing data to a processor that processes personal data on behalf of the controller;
- Disclosing personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller;
- The disclosure or transfer of personal data to an affiliate of the controller; or
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
What consumer rights does the CPA bill provide?
The CPA would provide consumers with the following rights:
- The right to opt-out of the processing of personal data concerning the consumer, including the right to authorize another person to opt-out of personal data processing for purposes of targeted advertising or “sale” of the consumer’s personal data.
- The right to confirm whether a controller is processing personal data concerning the consumer and access to those data.
- The right to correct inaccurate personal data collected from the consumer.
- The right to delete personal data concerning the consumer.
- The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance (data portability). This right may be exercised no more than twice per calendar year.
Controllers would have 45 days to respond to requests to exercise consumer rights, which could be extended to 90 days where reasonably necessary. Controllers must provide information free of charge except that a fee (to be calculated pursuant to the state public records statute) may be charged for the second or subsequent request within a twelve-month period.
The CPA bill requires controllers to establish an internal process for consumers to appeal a refusal to act on a request to exercise any of their consumer rights. If the consumer has concerns about the result of the appeal, they can contact the Attorney General.
What does the CPA bill require of “controllers”?
Controllers must provide consumers with a privacy notice describing the categories of personal data collected or processed, the purposes for processing, an estimate of how long personal data will be retained, how and where consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data are shared. If a controller sells personal data to third parties or processes personal data for targeted advertising, it must disclose such sale or processing as well as the manner in which the consumer may exercise the right to object to such sale or processing.
Other requirements imposed on controllers include:
- Purpose specification – collection of personal data must be limited to what is reasonably necessary for the specified purpose;
- Data minimization – controllers must collect only what is reasonably necessary for the specific purpose;
- Secondary uses – controllers must avoid secondary uses that are not reasonably necessary to or compatible with the purposes for which the data are processed;
- Duty of care – controllers must employ reasonable security measures to protect personal data against unauthorized acquisition during both storage and use;
- Nondiscrimination – controllers cannot increase the cost of or decrease the availability of a product or service based solely on the exercise of a right and may not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.
Controllers must get consent to process “sensitive data,” which include:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
- genetic or biometric data for the purpose of uniquely identifying a natural person; and
- personal data from a known child.
Controllers must also conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, which include targeted advertising or profiling; the sale of personal data; and sensitive data processing. Such data protection assessments must be made available to the Attorney General upon request.
What does the CPA bill require of “processors”?
Processors must process personal data according to the controller’s instructions and must assist controllers with the fulfillment of their obligations under the CPA. Processing by a processor must be governed by a binding contract setting out the processing instructions to which the processor is bound.
How would the CPA be enforced?
The CPA would be enforced by the Colorado Attorney General and District Attorneys. Violators would be subject to an injunction and a civil fine as specified in Colo. Rev. Stat. § 6-1-112 (setting out civil penalties in various contexts). There is no private right of action in the CPA bill.
When would the CPA take effect?
The law would take effect on January 1, 2023.