Colorado Privacy Act (CPA): What You Need to Know
• read
Introduction
The Colorado Privacy Act (CPA) was introduced on March 19, 2021, unanimously passed on May 26, 2021 and was signed into law on July 7, 2021 by Governor Jared Polis.
CPA became the third comprehensive data privacy law adopted in the US, after California with CCPA and CPRA and after Virginia with CDPA.
The key differences between the CPA and CCPA revolve around the private rights of action, the enforcement, penalties, or the cure period.
Official text
Click here to access the full official text of the CPA.
Effective Date
The CPA is scheduled to go into effect on July 1, 2023.
Applicability
The CPA currently applies to legal entities that:
(a) conduct business or produce products or services that are intentionally targeted to Colorado residents and
(b) either (i) control or process personal data of more than 100,000 consumers per calendar year or
(ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Covered Personal Information
The CPA defines “Personal Data” as “information that is linked or reasonably linkable to an identified or identifiable individual,” with the exceptions of:
(a) de-identified data and
(b) publicly available information.
Sensitive Data
Under this data privacy law, a controller must not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of processing of personal data concerning a known child or student, without obtaining consent from the child’s or student’s parent or lawful guardian. SB 21-190 defines “sensitive data” as:
(i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,
(ii) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or
(iii) personal data from a known child.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Under the Colorado Privacy Act, “de-identified data” means data that do not identify an individual with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
Children
A controller must not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of processing of personal data concerning a known child or student, without obtaining consent from the child’s or student’s parent or lawful guardian. The CPA defines “sensitive data” as:
(i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,
(ii) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or
(iii) personal data from a known child.
Privacy Notice
This privacy framework introduces a duty of transparency for controllers. The controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data collected or processed by the controller or a processor,
- The purposes for which the categories of personal data are processed,
- An estimate of how long the controller may or will maintain the consumer’s personal data,
- An explanation of how and where consumers may exercise their rights under SB 21-190,
- The categories of personal data that the controller shares with third parties, if any, and
- The categories of third parties, if any, with whom the controller shares personal data.
Consumer Rights
The CPA introduces the following consumer rights:
- Right to opt-out of the processing of personal data concerning the consumer,
- Right to access the consumer’s personal data and confirm whether a controller is processing personal data concerning the consumer,
- Right to correct inaccurate personal data collected from the consumer,
- Right to delete personal data concerning the consumer,
- Right to obtain the consumer’s personal data in a portable and readily usable format up to two times per calendar year.
Contracting
The Colorado Privacy Act defines the “duties of Controllers”. Similar to preceding data privacy legislation, SB 21-190 utilizes concepts of data “controllers” and data “processors,” where a “controller” is the person or entity that determines the purposes and means of processing personal data and the “processor” is the person or entity that processes personal data on behalf of the controller. Controllers and processors must enter into a binding contract governing the processing instructions. Controllers do not avoid responsibility by delegating processing responsibilities to a processor.
Data Protection Assessments
Under the CPA, before engaging in processing that presents a heightened risk of harm to a consumer, a controller must conduct and document a data protection assessment of each of its processing activities that involves personal data acquired on or after the effective date of SB 21-190. SB 21-190 defines “processing that presents a heightened risk of harm to a consumer” as including the following:
(i) processing personal data for purposes of targeted advertising or profiling,
(ii) selling personal data, and
(iii) processing sensitive data.
Enforcement
The CPA will be enforced by the Attorney General of Colorado and District Attorneys.
Private Right of Action
The Colorado Privacy Act does not contain a provision for private rights of action.
Penalties and Damages
Under the CPA, violations would be subject to civil penalties under the Colorado Consumer Protection Act (C.R.S. 6-1-112), which provides for civil penalties of not more than $20,000 per violation.
Cure Period
The CPA establishes a right to cure period of 60 days. This cure period will be repealed on January 1, 2025.
Exemptions
The SB 21-190 currently does not apply to certain categories of personal data already governed by various state and federal laws, such as HIPAA, the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Children’s Online Privacy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974 (FERPA), in each case to the extent the activity related to the personal data is in compliance with such existing governing law(s). SB 21-190 also does not apply to data maintained for employment records purposes. If a business processes personal data pursuant to an exemption under SB 21-190, the business bears the burden of demonstrating that the processing qualifies for the exemption.
Data Breach
The CPA requires notification of security breaches affecting personal information (PI), which includes a detailed notice to Colorado residents and, in certain circumstances, a notice to the Attorney General.
Introduction
The Colorado Privacy Act (CPA) was introduced on March 19, 2021, unanimously passed on May 26, 2021 and was signed into law on July 7, 2021 by Governor Jared Polis.
CPA became the third comprehensive data privacy law adopted in the US, after California with CCPA and CPRA and after Virginia with CDPA.
The key differences between the CPA and CCPA revolve around the private rights of action, the enforcement, penalties, or the cure period.
Official text
Click here to access the full official text of the CPA.
Effective Date
The CPA is scheduled to go into effect on July 1, 2023.
Applicability
The CPA currently applies to legal entities that:
(a) conduct business or produce products or services that are intentionally targeted to Colorado residents and
(b) either (i) control or process personal data of more than 100,000 consumers per calendar year or
(ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Covered Personal Information
The CPA defines “Personal Data” as “information that is linked or reasonably linkable to an identified or identifiable individual,” with the exceptions of:
(a) de-identified data and
(b) publicly available information.
Sensitive Data
Under this data privacy law, a controller must not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of processing of personal data concerning a known child or student, without obtaining consent from the child’s or student’s parent or lawful guardian. SB 21-190 defines “sensitive data” as:
(i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,
(ii) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or
(iii) personal data from a known child.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Under the Colorado Privacy Act, “de-identified data” means data that do not identify an individual with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
Children
A controller must not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of processing of personal data concerning a known child or student, without obtaining consent from the child’s or student’s parent or lawful guardian. The CPA defines “sensitive data” as:
(i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,
(ii) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or
(iii) personal data from a known child.
Privacy Notice
This privacy framework introduces a duty of transparency for controllers. The controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data collected or processed by the controller or a processor,
- The purposes for which the categories of personal data are processed,
- An estimate of how long the controller may or will maintain the consumer’s personal data,
- An explanation of how and where consumers may exercise their rights under SB 21-190,
- The categories of personal data that the controller shares with third parties, if any, and
- The categories of third parties, if any, with whom the controller shares personal data.
Consumer Rights
The CPA introduces the following consumer rights:
- Right to opt-out of the processing of personal data concerning the consumer,
- Right to access the consumer’s personal data and confirm whether a controller is processing personal data concerning the consumer,
- Right to correct inaccurate personal data collected from the consumer,
- Right to delete personal data concerning the consumer,
- Right to obtain the consumer’s personal data in a portable and readily usable format up to two times per calendar year.
Contracting
The Colorado Privacy Act defines the “duties of Controllers”. Similar to preceding data privacy legislation, SB 21-190 utilizes concepts of data “controllers” and data “processors,” where a “controller” is the person or entity that determines the purposes and means of processing personal data and the “processor” is the person or entity that processes personal data on behalf of the controller. Controllers and processors must enter into a binding contract governing the processing instructions. Controllers do not avoid responsibility by delegating processing responsibilities to a processor.
Data Protection Assessments
Under the CPA, before engaging in processing that presents a heightened risk of harm to a consumer, a controller must conduct and document a data protection assessment of each of its processing activities that involves personal data acquired on or after the effective date of SB 21-190. SB 21-190 defines “processing that presents a heightened risk of harm to a consumer” as including the following:
(i) processing personal data for purposes of targeted advertising or profiling,
(ii) selling personal data, and
(iii) processing sensitive data.
Enforcement
The CPA will be enforced by the Attorney General of Colorado and District Attorneys.
Private Right of Action
The Colorado Privacy Act does not contain a provision for private rights of action.
Penalties and Damages
Under the CPA, violations would be subject to civil penalties under the Colorado Consumer Protection Act (C.R.S. 6-1-112), which provides for civil penalties of not more than $20,000 per violation.
Cure Period
The CPA establishes a right to cure period of 60 days. This cure period will be repealed on January 1, 2025.
Exemptions
The SB 21-190 currently does not apply to certain categories of personal data already governed by various state and federal laws, such as HIPAA, the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Children’s Online Privacy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974 (FERPA), in each case to the extent the activity related to the personal data is in compliance with such existing governing law(s). SB 21-190 also does not apply to data maintained for employment records purposes. If a business processes personal data pursuant to an exemption under SB 21-190, the business bears the burden of demonstrating that the processing qualifies for the exemption.
Data Breach
The CPA requires notification of security breaches affecting personal information (PI), which includes a detailed notice to Colorado residents and, in certain circumstances, a notice to the Attorney General.
WireWheel offers a complete solution to help manage the requirements of CPA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.
See how the Colorado CPA compares to other global privacy regulations such as CCPA, GDPR, and more on our Privacy Law Matrix.
Compare
