This month we're looking at two significant pieces of internet privacy legislation from 2021. First, the Virginia Consumer Data Protection Act, and second the Colorado Privacy Act. The Colorado Privacy Act made Colorado the third state (after California with CCPA in 2018 and the VCDPA earlier in 2021) to enact comprehensive privacy legislation. For more on privacy legislation, you can checkout the Oklahoma Computer Data Privacy Act which we looked into last month, and Examining the American Data Dissemination (ADD) ACT and NV SB260 – The Latest in Internet Privacy Legislation.
What is the Colorado Privacy Act?
Scope
Like other major privacy legislation, the new regulations outlined in the Colorado Privacy Act (CPA) don't blanket apply to all companies. The legislation outlines the following stipulations for whether or not the new regulations in the bill apply to a company. Companies, or controllers, must either conduct business in Colorado or intentionally target Colorado residents and either:
- Store or process personal data on more than 100,000 consumers per calendar year
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more
Key definitions outlined
A consumer is defined as an individual who is a Colorado resident acting only in an "individual or house context". It does not include someone acting in a "commercial or employment context as a job applicant, or as a beneficiary of someone acting in an employment context." This is the same language as the VCDPA, meaning data controllers are not required to consider the employee personal data they collect and process when examining if the law is applicable to their business.
Also like the VCDPA and CCPA, the “sale of personal information” is defined. In the CPA, this is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” This definition is modeled after the definition of "sale" used in the CCPA. The VCDPA requires money to change hands for a sale to take place, where as the CCPA and CPA allow for other activities which provide "valuable consideration" to qualify as a sale. Data not allowed to be included in the definition of "sale" include:
- Disclosures to a processor that processes the personal data on behalf of a controller
- Disclosures of personal data to third party for purposes of providing a product or service requested by consumer
- Disclosures or transfer or personal data to an affiliate of the controller’s
- Disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
- Disclosure of personal data: That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or Intentionally made available by a consumer to the general public via a channel of mass media
“Publicly available” information is defined in the bill as any “information that is lawfully made available from … government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
"Sensitive data" is defined as one of the three following items:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data from a known child. "Child" is defined in the bill as an individual under the age of 13.
Exemptions
Like the VCDPA, the CPA outlines specific exemptions:
- Health care information governed by state or federal laws including information and documents created by a covered entity for the purposes of complying with HIPAA and implementing regulations
- Financial information used to determine a consumer's creditworthiness, credit standing, credit capacity, charger, general reputation, personal characteristics, or mode of living if the company is a consumer reporting agency and companies whose activity is regulated by the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act
- Other entities that are governed by the Driver's Privacy Protection Act of 1994, the Children's Online Privacy Protection Act of 1998, and the Family Education Rights are Privacy Act of 1974 are also exempted
- De-identified data. This is defined as "data that cannot reasonably be used to infer information about, or otherwise be linked to an individual or identifiable individual or a device linked to such an individual if the controller possess the data."
- Data kept for employment records or job applications
- Other publicly available data like property tax and home ownership records
- Data collected by airlines and telephone companies
Most notable in this section, is that unlike the VCDPA and the CCPA, the CPA does apply to nonprofits and does not have a blanket exception for entities regulated by HIPAA.
Rights provided to Colorado consumers
Right of access. The right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.
Right to correction. The right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
Right to delete. The right to delete personal data concerning the consumer.
Right to data portability. The right to obtain a personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
The rights to access, correct, delete, and obtain data is free of charge once per year per controller. If the consumer wants to exercise this right more than once in a calendar year, there could be a fee associated with it.
Right to opt out. The consumer, or someone authorized by the consumer acting on the consumer's behalf, has the right to opt out of the processing of personal data concerning the consumer for purposes of:
- Targeted advertising
- The sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer
The controller may also not require the consumer to create a new account in order to exercise this right
Right to appeal. If a controller does not take action on the request of a consumer, the controller must inform the customer within 45 days after the receipt of the request. They must also give the consumer the reasons for not taking actions and instructions on how to appeal their decision.
Controller obligations
The CPA outlines obligations, or "duties", controllers must fulfill if the CPA is applicable to their business.
Duty of transparency. Controllers must provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” This notice must include:
- Categories of personal data collected or processed by controller or processor
- Purpose(s) for which the categories of personal data are processed
- How and where consumers can exercise their right to appeal and the other rights outlined
- Categories of personal information shared with third parties
- Categories of third parties data is shared with
This duty also states that "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to pt out of the sale or processing."
Duty of purpose specification. Controllers must “specify the express purposes for which personal data are collected and processed” when collecting personal information.
Duty of data minimization. "A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” Similar language is outlined in the VCDPA.
Duty to avoid secondary use. Unless a controller obtains consent for secondary purposes, they are required to not process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”
Duty of care. Under the CPA, controllers must take reasonable security precautions during storage and use of data by imposing a duty of care. The data security implemented be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
Duty to avoid unlawful discrimination. The CPA prohibits a controller from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
Duty regarding sensitive data. Before processing any sensitive data, controllers must first obtain the consumer's consent. If the data is related to a child, they must first obtain consent from the child's parent or guardian. Consent must be “freely given, specific, informed, and unambiguous.”
Enforcement
The bill states that it is the responsibility of the Colorado Attorney General or state district attorneys to enforce the new regulations. One big thing is that once the CPA is in effect (July 1, 2023) the attorney general’s office will have to have established rules to specify what universal opt-out mechanisms can be used as this was not outlined in the bill. The CPA also gives companies 60 days to “cure” or fix the violation, but, this right for companies will sunset in 2025. The CCPA and VCDPA limit this period to 30 days.
Unlike other data privacy legislation, there is no explicit fine amounts outlined in the bill. The bill does state that a violation of the CPA is considered a deceptive trade practice, and, per the Colorado Consumer Protection Act, a controller found to be noncompliant could be fined up to $20,000 per violation.
Cover Photo by Kaffeebart on Unsplash
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.