Colorado Adds to the Privacy Law Patchwork – What to Expect

On July 7, Colorado became the third state to enact comprehensive data privacy legislation, following California and Virginia. The Colorado Privacy Act (CPA), modeled largely after its predecessor in Virginia (the Consumer Data Protection Act [VCDPA]) and in part after the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA), will go into effect on July 1, 2023. Here is what you need to know.

Scope

The CPA applies to all legal entities—for-profit and non-profit—that conduct business in the state or produce products or services that are intentionally targeted to Colorado residents and that fall into one of two categories: those that 1) control or process personal data of 100,000 or more individual Colorado residents during a calendar year; or 2) derive revenue (or receive discounts on the price of goods or services) from the sale of personal data and control or process the personal data of at least 25,000 individual Colorado residents.

The CPA's thresholds for covered entities are substantially similar to those in the Virginia law. Both focus on the amount of personal data an entity processes rather than the amount of revenue a company generates (under the CCPA, companies that generate $25 million or more annually are covered). The CPA is slightly broader, however; unlike the Virginia law, the CPA requires that an entity obtain only some amount of revenue or discounts on goods or services, however small, from the sales of personal data (the Virginia law requires an entity to receive at least 50% of annual revenue from such sales). And unlike both the Virginia and California laws, the CPA applies to non-profit entities, except for state postsecondary institutions and state and local governments that collect and use personal data for noncommercial purposes.

Like the Virginia law, the CPA borrows from the EU General Data Protection Regulation, categorizing as "controllers" the entities that determine the means and purposes of processing personal data, and as "processors" those that process data on behalf of controllers. Controllers and processors must enter into agreements that govern the processing of personal data. Colorado, like Virginia, recognizes another type of entity—"third parties"—that are defined as someone "other than a consumer, controller, processor, or affiliate of the processor or controller."

The CPA also adopts Virginia's definition of "personal data," covering information that is linked or reasonably linkable to an identified or identifiable natural person, excluding "publicly available information" or "de-identified information." An "identified or identifiable" individual is one who "can be readily identified, directly or indirectly" by reference to an identifier (such as a name, ID number, GPS data or online identifier) that is part of a consumer's personal data. In practice, however, Colorado will cover more information because it limits the carve-out for "publicly available information."¹ The CPA does not apply to personal data governed by listed state and federal laws, certain employment records, health-related data such as that covered by HIPAA, or data that would be collected through human subject research. And like Virginia, the CPA expressly carves out individuals acting in an employment (including job applicants) or commercial context from the definition of "consumer."

Consumer Rights

Like California, Colorado has an explicit constitutional guarantee of the right to privacy. But the scope of that right has not previously been articulated through legislation. With this new law, Colorado consumers will now have the explicit right to control the collection, use, and disclosure of personal data. Specifically, the CPA grants Colorado residents (individuals and households) the same rights that the California and Virginia laws provide—namely the rights to:

• (1) Access personal data that the controller has collected about them;
• (2) Delete personal data;
• (3) Correct personal data;
• (4) Port personal data (twice a year);
• (5) Opt out of "sales" of personal data, targeted advertising, and profiling (or parent/guardian opt-in for a child);
• (6) Control the processing of "sensitive data"; and
• (7) Be free from retaliation (by increasing costs or decreasing availability of products or services) for exercising the rights provided under the Act.

As in Virginia and California, these rights are subject to exceptions—including, among other things, carve-outs for de-identified information, certain types of financial incentives, including loyalty and club card programs, and transfers of personal information in the course of a merger, or other change in corporate control—that will be familiar to those businesses that comply with the CCPA.

How These Rights Differ From Those Under the Virginia and California Laws

• Rights Apply to Personal Data Collected From and About the Consumer: The rights afforded consumers under the CPA are broader in one respect than those under the Virginia law. Specifically, unlike Virginia, Colorado's right to portability is not limited to personal data that the controller receives from the consumer. Instead, Colorado residents have the right to receive in a portable format any personal data that the controller has collected about the consumer. Both Colorado and Virginia offer broader rights to deletion than California, however, by allowing consumers to request deletion of any personal data that the controller has collected about them and not just, as under the California law, the personal data that the consumer has provided to the controller.
• Sales Include Exchanges of Personal Data for Non-Monetary Benefit: Like California, Colorado defines "sale" broadly to include exchanges of personal data for both monetary and "other valuable consideration." But like Virginia, Colorado excludes certain exchanges of personal data from the definition, including disclosures to "affiliates," which—unlike under California—are not required to share "common branding" with the controller; to third parties for the purpose of providing the product or service that the consumer requested; to processors; as the result of change in corporate ownership or structure; and that the consumer intentionally makes to the general public through mass media.
  
  However, Colorado's exclusions are slightly broader than Virginia's. Unlike Virginia, Colorado does not limit the exemption for consumer-executed disclosures through mass media to those where the consumer has not configured his or her privacy settings to limit access to the information. Put another way, under the Colorado law, a controller can disclose personal data that a consumer intentionally posts on a social media platform (provided the platform is considered "mass media") without triggering a "sale" even if the consumer had set his or her privacy settings to limit access to that information to certain users of the platform. In addition, unlike Virginia, Colorado excludes disclosures that the consumer directs or that a consumer intentionally uses a controller to make to a third party.
• Targeted Advertising Does Not Include Ads Based on Activities on Affiliated Websites: Like Virginia, Colorado gives consumers the right to opt out of "targeted advertising," and like Virginia, it defines that term narrowly to exclude ads based on a consumer's activities within the controller's own websites and apps, as well as (1) ads based on activities on the controller's affiliated websites; (2) ads based on the context of a consumer's search query or visit to a website or app; (3) ads displayed in response to a request for information or feedback; and (4) the processing of personal data solely for measuring or reporting ad performance, frequency, or reach.
  
  Colorado's definition is slightly broader in that it includes advertising based on data "inferred" from consumers' online activity across non-affiliated websites and not just personal data "obtained" from such activity. Therefore, any advertising targeted to consumers based on profiles developed from consumers' online activity—even if not based on the actual data itself—would be "targeted advertising" under the Colorado law, although this is unlikely to have much operational impact in practice. Putting aside this minor distinction, controllers will be able to engage in more unrestricted advertising under the Colorado and Virginia laws than under the California law. The ability to use data obtained from consumers' activities across affiliated websites that are not co-branded will be helpful in particular to large companies that manage many different brands whose affiliation with the parent entity is not apparent to consumers.
• Authorized Agents May Make Requests: Like California, Colorado allows authorized agents to make requests on behalf of consumers. Virginia does not allow authorized agents, however, so companies will need to limit responses to requests from Virginia residents only. California, Virginia, and Colorado allow a child's parent or legal guardian to invoke rights on behalf of the child.
• Appeals Process Required: Colorado, like Virginia, requires controllers to establish an appeals process by which consumers can appeal decisions to deny their requests to exercise their rights. In this respect, Colorado and Virginia are more onerous than California.
• Consumers Must Opt In to Processing of Sensitive Data: As under the Virginia law, businesses must obtain opt-in consent from consumers (or from the consumer's parent, if the consumer is under 13) before processing their "sensitive data." "Sensitive data" includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizen or immigration status; genetic or biometric data used to uniquely identify a natural person; and data collected from a known child. Unlike the Virginia law, Colorado does not treat precise geolocation data as "sensitive" data. Colorado follows both Virginia and California (the CPRA) in giving consumers the right to control their sensitive data, but both Colorado and Virginia provide greater protection to consumers than California, as the CPRA only gives consumers the limited right, under certain circumstances, to opt out of the use and disclosure of their sensitive data for purposes other than to provide the goods or services requested.
• Pseudonymous Data Is Excluded From Some Requirements: Colorado, like Virginia, recognizes a separate category of data—"pseudonymous data"—that is not subject to certain consumer rights requests. Pseudonymous data is information that "cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person." Companies' ability to maintain and use such data may increase operational flexibility and reduce compliance burdens. On its face, the Colorado law appears to be less burdensome than the Virginia law, because the Virginia law expressly requires controllers to exercise reasonable oversight to monitor compliance with contractual commitments necessary to maintain data in pseudonymous form. Nonetheless, because Colorado requires such oversight with respect to de-identified data, as a practical matter, controllers subject to the CPA will need to ensure that anyone to whom they disclose pseudonymous data adheres to the applicable restrictions.

Obligations the CPA Imposes on Companies

As is typical under privacy laws, under the Colorado law controllers must provide consumers a privacy notice that describes, among other things, the categories of personal data processed, the purposes of processing, consumers' rights and how and when consumers may exercise those rights, the categories of personal data the controller shares with third parties and the categories of such third parties, and whether the company sells personal data or uses it for targeted advertising or profiling. Colorado also imposes data security and data governance obligations, such as the duty to avoid secondary use and limit the data collected to what is "adequate," "relevant," and "reasonably necessary" to achieve the purpose of processing.

Good data governance practices will be useful to controllers in complying with the obligation to conduct data protection assessments. Like Virginia, Colorado requires controllers to conduct data protection assessments of processing that "presents a heightened risk of harm" to consumers. The CPA identifies the following activities as presenting a "heightened risk of harm": (i) processing personal data for targeted advertising or profiling that presents a foreseeable risk of: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (b) financial or physical injury; (c) physical or other intrusion upon seclusion or a consumer's private affairs, if such an intrusion would offend a reasonable person; or (d) "other substantial injury to consumers; (ii) selling personal data; and (iii) processing sensitive data. The CPA gives the Colorado attorney general the right to request a copy of the assessment, but states that a controller will not waive attorney-client privilege in disclosing a copy in response to such request. The Virginia attorney general's right to obtain a copy of controllers' data protection assessments is slightly more restricted because the Virginia law allows the Virginia attorney general to request a copy only in connection with a civil investigative demand. The CPA does not include such a limitation.

One of the most controversial provisions in the CPA is the obligation it imposes on controllers, beginning in 2024, to recognize signals from a global opt-out mechanism for requests to opt out of targeted advertising and sales of personal data. Efforts to develop this kind of "do not track" mechanism failed several years ago after the World Wide Web Consortium ("W3C") tried unsuccessfully to reach consensus through a multi-stakeholder process on a technical standard for recognizing and respecting such preferences. The issue remained largely dormant until the California attorney general's office issued regulations last year under the CCPA directing businesses to recognize a global opt-out signal as a valid opt-out request under certain circumstances. The CPA provides a longer runway for controllers than the CCPA by giving controllers discretion to recognize such signals until July 1, 2024, after which they must honor such signals. In the meantime, the Colorado attorney general must develop rules by July 1, 2023, that will govern the technical specifications for such a mechanism. These technical standards must adhere to certain requirements in the statutes, such as giving controllers the ability to authenticate the consumer as a resident of Colorado and requiring the signal to represent the consumer's affirmative and freely given choice to opt out.

Importantly, the obligations on controllers under the CPA do not restrict the ability to, among other things, comply with legal requests; conduct internal research to "improve, repair, or develop products, services, or technology;" prevent or protect against fraud, identity theft, or malicious activities; or "preserve the integrity or security of systems." A controller that processes data pursuant to an exception must limit processing to what is "necessary, reasonable, and proportionate" to the listed purposes, and also bear the burden of demonstrating that processing qualifies for the exception and complies with the limits.

Enforcement

The CPA does not provide a private right of action for violations of the CPA "or any other provision of law." Violations of any provision of the CPA are considered deceptive trade practices and only the state attorney general and district attorneys can take action against violators and obtain monetary or injunctive relief. The monetary penalties that the Colorado attorney general can impose are significant: up to $20,000 per violation, making violations of the CPA substantially more costly, potentially, than violations of the Virginia or California laws. The CPA preempts all other local laws in the state regarding the processing of personal data.

Complicating the preparation for compliance, the CPA gives the Colorado attorney general broad rulemaking authority, leaving open the possibility of rule-based changes that could substantially deviate from and conflict with the Virginia and California laws. The ramp-up to compliance period may be made somewhat easier by a temporary right to cure that the CPA provides. Specifically, until January 1, 2025, covered entities will have 60 days, the longest "cure period" of any state privacy law, to correct any violation before the attorney general may take an enforcement action. The right to cure sunsets on January 1, 2025. In the meantime, the attorney general may—but is not required to—adopt rules that would become effective on the date that the right to cure sunsets and that would govern the process of issuing opinion letters and interpretive guidance. These letters and guidance would serve as an operational framework for covered entities to use in making compliance decisions and, if followed, would enable covered entities to assert a good faith reliance defense against an action for violation of the statute.

Conclusion

Covered entities in Colorado who already took steps to comply with the CCPA will need to adjust their compliance programs to prepare for the CPA. In particular, covered entities must take steps to understand what data they collect and process from Colorado residents at a granular level and consider what privacy risks may be associated with such activities under the new law. They will need to develop and implement processes regarding the collection, use, and disclosure of sensitive data, for instance, the process for honoring valid opt-outs, as well as a program for evaluating processing activities to determine which ones require a data protection assessment. Because the attorney general's office will promulgate rules that further expand on consumers' rights and covered entities' obligations, including rules for the opt-out mechanism, covered entities will need to watch developments in this space and adjust their compliance programs as necessary while the attorney general fills in the details.

FOOTNOTE

1  While Virginia excludes any information in public government records or that the controller has a reasonable basis to believe is lawfully made available to the general public (i) through widely distributed media, (ii) by the consumer, or (iii) by a person to whom the consumer has disclosed information without restriction, Colorado excludes only information in public government records or that the business has reasonable basis to believe the consumer has lawfully made available to the general public.