Articles

Client Alert - The Colorado Privacy Act: Both Bark and Bite

Date: June 17, 2021
Europe began the trend, California followed suit shortly after, and now the flood gates have opened.

Colorado is the third state that is on the brink of enacting a strict and extensive privacy law that has significant implications for a wide variety of organizations that control or process personal data. 

Applicability

To determine if the Colorado Privacy Act (CPA) applies, an organization must conduct business, produce products, or provide services to Colorado residents and either (1) control or process personal data of more than 100,000 consumers per year, or (2) derive revenue from the sale of personal data and control or personal process data of at least 25,000 consumers. 

The CPA defines “consumer” as an individual who is a Colorado resident only in an individual or household context. 

Requirements

If the Governor signs the bills, organizations subject to the CPA must take a litany of GDPR-like steps to comply with the new law, which will become effective on July 1, 2023.  First, organizations must provide their consumers with the right to (1) opt-out of certain processing of personal data, (2) access personal data, (3) correct inaccurate personal data, (4) delete personal data, and (5) have data portability.  Once a consumer submits a formal request to exercise one of these rights, organizations must act on it within 45 days.

Second, related to consumer personal data, organizations have a duty to comply with certain transparency, purpose specification, minimization, secondary use, care, and unlawful discrimination requirements, along with specific requirements related to sensitive data.  Notably, the CPA prohibits a data controller from processing consumers’ “sensitive data” without first obtaining affirmative consent. 

Finally, organizations subject to the CPA must implement appropriate administrative, physical, and technical safeguards to safeguard consumer data.  An added wrinkle in the CPA requires organizations to perform data protection assessments when data processing increases the risk of harm to a consumer (i.e., processing with the purpose of targeted advertising and profiling, selling personal data, or processing sensitive data).  Organizations must perform a risk analysis weighing the costs and benefits of the processing and the sufficiency of the implemented safeguards in protecting the personal data.  If requested by the Colorado Attorney General, organizations must produce the data protection assessments performed. 

Penalties

The Colorado Attorney General and district attorneys are authorized to enforce violations of the Act.  Penalties can be up to $20,000 for each violation, which means for every consumer involved.  The maximum penalty is $500,000.  However, unlike the CCPA, there is no private right of action under the Act.

Exceptions

The CPA includes a few important exemptions.  For instance, the CPA fully exempts financial institutions subject to the federal Gramm-Leach-Bliley Act, as well as certain types of health and patient information governed by HIPAA.

Conclusion

In the absence of federal action to protect personal data, the states have begun recognizing and responding to the importance of protecting personal information and allowing individuals to control information that relates to them.  Privacy and data security need to be at the forefront of every organization’s agenda and priorities.  If not, an organization will find itself in a precarious position when the Colorado Attorney General comes calling.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.