With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.
The Rights and Duties Established by the CPA
The CPA seeks to ensure the privacy of Colorado consumers while recognizing that the use of consumer data can result in positive innovation. Against that backdrop, the CPA recognizes several broad consumer rights, including the rights to:
- Opt out of the processing of personal data for the purposes of targeted advertising, sale, or the creation of a consumer data profile;
- Confirm that a business is using a consumer’s personal data and the right to access such data;
- Correct inaccuracies in a consumer’s personal data held by a regulated entity;
- Delete a consumer’s personal data; and
- Obtain and transfer a consumer’s personal data.
Each of these rights have important implications for impacted businesses. However, because Colorado elected to adopt an opt-out, rather than an opt-in, regulatory scheme, consumers must still take at least some affirmative action to restrict a business’s use of their personal data. That said, the CPA does require that businesses provide a clear and conspicuous method through which consumers can opt out.
Even if a consumer elects to opt-out of the collection/processing of their personal data, regulated businesses may still seek and obtain a consumer’s consent for specific instances of targeted advertising or the sale of their personal data, which provides some flexibility in the regulatory scheme. As with the opt-out mechanism, the CPA has specific requirements governing what constitutes consent—including that it not be obtained through deception in the form of so called “dark patterns,” which the CPA defines as user interfaces that subvert or impair users’ autonomy, decision making, or choice.
In tandem with the five core “rights” outlined above, the CPA imposes on regulated entities a number of additional duties, including:
- Transparency, which requires that regulated entities provide substantial privacy notices to consumers;
- Specifying the purposes for which personal data is collected;
- Minimizing the collection of personal data;
- Avoiding any secondary use of collected personal data;
- Care to ensure the security of collected personal data;
- Avoiding using personal data in violation of state or federal antidiscrimination laws; and
- Obtaining specific consent for the processing of certain classes of sensitive personal data.
Businesses and Data Excluded from Regulation Under the CPA
Despite the broad aims of the CPA, it does not regulate all businesses in Colorado, nor does it address all types of consumer data. Most critically, the CPA applies only to businesses that (i) conduct business in Colorado, or (ii) produce or deliver commercial products or services intentionally targeting Colorado residents. In addition, the CPA only applies if a business:
- Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
- Derives some revenue or receives a discount on goods and services from the sale of personal data and processes the personal data of at least 25,000 consumers.
Those threshold requirements mean that many small businesses, as well as many businesses that operate in the business to business world rather than business to consumer world, will escape the reach of the CPA. The CPA also exempts (with some caveats) certain types of entities, including airlines and public utilities. The CPA similarly does not reach consumer information separately addressed by other statutory data privacy schemes, like HIPPA or the Graham–Leach Bliley Act.
Enforcement of the CPA
When it comes to enforcement of the CPA, Colorado vested enforcement only with the Colorado Attorney General and District Attorneys. Unlike with the CCPA in California, there is no private right of action under the CPA. This limitation will protect regulated entities from facing the costs of consumer initiated litigation.
However, the Attorney General is granted significant regulatory and enforcement authority, beginning with the task of building out rules to implement the Act. Among other things, the Attorney General is directed to set out rules and technical specifications defining what constitutes a permissible opt out mechanism and, later, to set out rules governing the process of issuing opinion letters and guidance regarding business practices in light of the requirements of the CPA. Perhaps more importantly, the CPA permits enforcement actions led by the Attorney General through the provisions of the Colorado Consumer Protection Act.
Although the provisions of the CPA are similar to the privacy laws adopted previously by California and Virginia, the existence of a third, stand-alone, state privacy law complicates the picture for businesses operating in multiple jurisdictions. A federal law may eventually succeed in leveling the playing field, but in the meantime, businesses operating in Colorado should prepare to comply when the CPA goes into effect on July 1, 2023.
1 California originally passed its privacy law, the California Consumer Privacy Act (“CCPA”), in 2018. More recently, California voters passed Proposition 24, creating the California Privacy Rights Act (“CPRA”). The CPRA is slated to go into effect on January 1, 2023 and will effectively replace the CCPA.