Colorado Privacy Act (CPA)
Privacy frameworks are continuing to shift in Colorado and across the nation, requiring businesses to adapt to increasing oversight from regulatory bodies. In-house protocols for both managing privacy protection and monitoring compliance are important tools in any company’s repertoire. A robust data privacy program may also benefit from the advice of seasoned data privacy attorneys whose practice areas encompass broad-based consumer protection regulatory compliance.
What Is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) was enacted in July 2021, making Colorado the third state – following California and Virginia– to enact a comprehensive consumer data privacy law. The Virginia/Colorado privacy model includes nuanced privacy obligations that differ in some important ways from the California privacy model. Similar to California’s privacy law, the CPA includes corresponding regulations.
The CPA applies to companies that engage in business with Colorado residents and that (1) control or process the personal data of at least 100,000 Colorado consumers during a calendar year or (2) control or process personal data of at least 25,000 Colorado consumers and derive revenue or receive a discount on the price of goods or services from selling personal data. Meeting either regulatory threshold will impose an obligation on the company to ensure its compliance with CPA requirements.
Consumer Rights Under the CPA
The CPA grants Colorado consumers a range of privacy rights, including right of access, right of correction, right to delete, right to data portability, and right to opt out. To ensure the protection of consumer data privacy, new obligations have been imposed on all companies that fall under the purview of the law. For instance, businesses must now consider the following legal duties:
- Privacy policy. Companies must provide all consumers with a clear and accessible privacy notice that outlines the kind of data the company will be collecting, the purpose of processing this data, and the categories of third parties with whom the data will be shared.
- Collection minimization. The collection of personal data must be limited to data that is adequate and relevant to what is reasonably necessary to fulfill the purpose for data collection.
- Security precautions. Companies must employ “reasonable security measures” to prevent unauthorized access to consumers’ personal data.
- No secondary use of data. Companies are not permitted to use data for a purpose that is different from the purpose disclosed to consumers at or before collection unless the consumer consents to its use for the different purpose.
- Anti-discrimination. Businesses cannot discriminate against consumers for exercising their rights under the CPA.
Violations of the Colorado Privacy Act are considered deceptive trade practices, meaning the penalties are governed by the Colorado Consumer Protection Act. As such, companies that are found to be noncompliant can face fines of up to $20,000 per violation, with enforcement managed by the office of the Colorado Attorney General. The CPA does not establish a private right of action for consumers.
Achieving Compliance
Businesses have a legal obligation to remain compliant with a host of regulatory requirements imposed by federal and state consumer protection and privacy laws. The interplay of these laws can be complex, demanding the implementation of compliance procedures that recognize an array of overlapping, and even potentially conflicting, rules.
The CPA in particular may require few to no changes for a business operating well beneath the regulatory threshold, while a company managing data collected from large numbers of Colorado residents annually may already have faced a comprehensive overhaul of its consumer data handling procedures.
For companies approaching the CPA applicability threshold, it may be advisable to begin developing appropriate protocols for collecting data, for disclosing foreseeable uses of data to consumers, and for securely storing the collected data –– before being required to do so by law.
State “Age-Appropriate Design” Laws
The considerations necessary for compliance under the CPA also vary somewhat depending on whether a business is defined as a data controller vs. processor, while some businesses may function in both roles. Understanding how the CPA defines these terms and what they mean for a company’s obligations is essential to achieving and maintaining compliance with this law.
Whether defined under the CPA as data controllers or processors, we have guided many businesses throughout their compliance journey, helping them:
- assess the data that is being collected and how it is being stored.
- evaluate the necessity of each category of data as it relates to business objectives.
- update privacy policies to ensure transparency, accessibility, and clarity.
- review vendor agreements to ensure that all parties take necessary steps to comply with the CPA and to submit to audit, as necessary.
- establish a process for responding to consumer requests.
- ensure that all staff and employees are trained on compliance procedures.
- document all compliance efforts and security measures that have been put in place.
Questions about the Colorado Privacy Act or other state privacy laws? We can help. Let’s chat.