Protection file

Privacy Patchwork Part 2: How Colorado’s Privacy Law Could Impact Your Business – Privacy Protection

The number of states enacting comprehensive privacy laws is growing, adding to the existing complex patchwork of privacy, security, and data breach notification laws that keep legal and compliance staff on their toes. guards. Businesses should start preparing to comply with these laws, many of which will come into force in 2023.

This five-part series will highlight key provisions of some of the comprehensive new privacy laws. Each week, we’ll examine the laws of one new state – Virginia, Colorado, Utah, Connecticut and California – and provide recommendations on what actions businesses should consider taking now to comply. This article explores the impact Colorado’s privacy law could have on your business.

Stay tuned each week as we highlight key takeaways from these new laws. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws.

Colorado Privacy Law

On July 8, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA), making Colorado the third state (after California and Virginia) to enact comprehensive privacy legislation. The CPA will come into force on July 1, 2023.

1. Threshold of applicability

Unlike some state laws that focus on a company’s revenue to determine applicability, the CPA focuses on the number of consumers whose data is implicated. The CPA applies to companies that operate in Colorado or provide commercial products or services that intentionally target Colorado residents, where the company processes the data of at least 100,000 consumers or derives revenue from the sale of the personal data of at least 25,000 consumers each year.

The CPA excludes certain industries and types of data from the law, including anonymized data, entities regulated by the Gramm-Leach-Bliley Act, certain data processed by covered entities, and business associates as defined by the Privacy Act. Health Insurance Portability and Accountability (HIPAA), such as protected health information and data created to demonstrate HIPAA compliance, and information regulated by the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994 and the Family Educational Rights and Privacy Act of 1974 (FERPA).

2. Summary of consumer rights

The CPA grants Colorado residents rights similar to those granted by the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the European Union’s General Data Protection Regulation (GDPR). notably :

  • The right to object to the processing of personal data for the purposes of targeted advertising, sale of personal data and profiling;

  • The right to confirm whether a controller is processing personal data and to access personal data;

  • The right to correct inaccuracies in the personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data;

  • The right to request the deletion of personal data; and

  • The right to obtain a copy of personal data in a portable, easily usable and easily transmitted format. This last right can be exercised up to twice a year.

These rights are important because businesses to which the CPA applies will need to have internal policies and procedures in place to receive and respond to consumer inquiries associated with these consumer rights. Importantly, the CPA requires businesses to provide consumers with a universal opt-out mechanism that allows them to click one button to exercise all of their opt-out rights. We expect implementing regulations to specify how companies must execute this universal opt-out mechanism.

3. Use and retention of data

The CPA imposes new restrictions on companies that collect personal data. The collection of personal data, under the CPA, must be limited to data reasonably necessary for the specified purposes for which the data is processed. As such, companies should develop procedures to track the purposes for which data is collected and establish data retention policies that limit the retention of personal data once processing is complete.

In addition, companies must sign agreements with processors that identify the purposes of data processing, the type of personal data to be processed and the duration of the processing. These agreements should also include restrictions on the engagement of processors, a duty of data confidentiality for processors, and an obligation to delete or return all personal data to the controller upon termination. Companies should review their contracts to confirm that they meet CPA requirements and update them as necessary to comply.

Companies acting as controllers under the CPA must also perform and document data protection assessments of all processing activities involving personal data. Data protection assessments focus on processing that poses an increased risk of harm to the consumer, such as processing for the purposes of targeted advertising or profiling, the sale of personal data or the processing of sensitive data. Similar to the VCDPA, the CPA emphasizes that the purpose of data protection assessments is to weigh the potential risks of processing personal data against the direct or indirect benefits of the processing for the controller, the consumer and the public. At the request of the Colorado Attorney General, data controllers must produce their data protection assessments. Companies should write procedures outlining when they should perform a data protection assessment and carefully document the process each time an assessment is performed.

4. Disclosures

Companies must provide consumers with a reasonably accessible, clear and meaningful privacy notice. This notice should include a description of the categories of personal data collected and the purposes for which that data is processed, information about consumer rights and choices under the CPA, and the process for withdrawing consent to the processing of personal data. Companies subject to the CPA should carefully review their privacy notices and revise them as necessary to comply.

5. State Enforcement

The Colorado Attorney General’s Office and Colorado District Attorneys have the authority to bring a lawsuit alleging a CPA violation after a 60-day processing period, during which companies can remedy an alleged violation. . This right to healing will expire on January 1, 2025.

The CPA itself does not include any guidelines regarding fines for violations. However, it says a violation of the CPA would be considered a deceptive marketing practice under the Colorado Consumer Protection Act, which provides that violations are subject to a civil penalty not exceeding $2,000 per violation, not to exceed not $500,000 in total for any series of related violations.

Finally, the CPA does not provide for a private right of action.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.