Colorado Passes a Data Privacy Law
On June 8, 2021, the Colorado Senate approved House amendments to the Colorado Privacy Act (CPA) (SB21-190). The bill now goes to Governor Jared Polis for approval. If enacted, the CPA will become effective on July 1, 2023.
CPA Applies to All Controllers That:
- Control or process the personal data of 100,000 consumers (Colorado residents) or more in a calendar year and/or,
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers (Colorado residents) or more
Want to see how CPA compares against other data privacy laws side-by-side? Check out our Privacy Laws Comparison Table
- Consumer: A Colorado resident acting only in an individual or household context. Individuals acting in a commercial or employment context are out of scope of this definition.
- Personal Data: Information that is linked or reasonably linkable to an identified or identifiable individual. De-Identified data is excluded.
- Sensitive Data: Racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, genetic or biometric data (processed for the purpose of identifying an individual), individuals under 13 years.
- Sale: The exchange of personal data for monetary or other valuable consideration by a controller to a third party. Transfers to processors or third parties for purposes of providing a product or service are out of scope of this definition.
- Targeted Advertising: Advertisements selected and displayed based on personal data obtained or inferred from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.
- Right to Opt out of the sale or processing of personal data for purposes of targeted advertising
- Right to authorize another person to opt out of the processing of the consumer’s personal data
- Right to Access and data portability
- Right to Correction of any inaccurate personal data collected from the consumer
- Right to Deletion of personal data concerning the consumer
Obligations of Controllers & Processors
- Notice: Controllers are required to provide consumers with a privacy notice that includes:
- The categories of personal data that it (or a processor) collects or processes
- The purposes for which the categories of personal data are processed
- How and where consumers may exercise their rights
- The categories of personal data that the controller shares with third parties
- The categories of third parties, if any, with whom the controller shares personal data
- Choice: Controllers who sell personal data or process personal data for targeted advertising are required to clearly and conspicuously disclose this and provide a way for the consumer to opt out.
- Sensitive Data: Consent is required for processing sensitive data. Individuals under age 13, require parental consent.
- Permitted Purposes of Processing: Consent is not required for personal data used to:
- Provide a product or service specifically requested by the consumer
- Conduct internal research to improve, or develop products, services, or technology
- Perform operations reasonably aligned with consumers’ expectations
- Protect the vital interests of the consumer or of another individual
- Prevent, detect, protect against, or respond to security incidents or illegal activities
- Secondary Uses: Consent is required for all secondary use cases.
- Data Protection Assessments: Are required for each processing activity that presents a heightened risk of harm to a consumer including, targeted advertising, high-risk profiling, sale of personal data, and processing sensitive data.
- Data Security: Controllers must ensure reasonable security measures appropriate to the volume, scope, and nature of the personal data being processed.
- Consumer Appeals: Controllers must provide a clear and conspicuous process for consumers to appeal the controller’s refusal to take action on their individual rights request.
- Data Processors: Contracts between the controller and the processor are required for processor accountability. Processors must delete or return all personal data to the controller as requested at the end of the term of their agreement
- Personal data processed in compliance with HIPAA, FCRA, GLBA, DPPA, COPPA, and FERPA
- Air carriers
- Data maintained for employment records purposes by public utilities
- Data used for non-commercial purposes, by state higher education and government entities
- The CPA is enforced by the Colorado Attorney General (AG) and district attorneys.
- Civil penalties are up to $20,000 per violation
- No private right of action
- 60 day cure period – sunsets January 1, 2025
The bill is on its way to Governor Polis’ desk for approval, in anticipation of his signature. The Colorado General Assembly is scheduled to adjourn for the year on June 12, 2021. If the bill is transmitted to Governor Polis before that date, he has 10 days to sign or veto the bill, or it becomes law without his signature. If the bill is transmitted to Governor Polis after the legislative session ends, he must act on the bill within 30 days after the last day of the session, or it becomes law without his signature.
 a person that, alone or jointly with others, determines the purposes and means of processing personal data (SB21-190)