Colorado has joined California and Virginia to become the third U.S. state to pass comprehensive data privacy legislation. The new law, which went into effect on July 1, 2023, borrows in part from the European Union’s General Data Protection Regulation, but more significantly from both the California Consumer Privacy Act, including as amended by the California Privacy Rights Act, and the Virginia Consumer Data Protection Act. Unlike those state laws, the Colorado law does not exempt nonprofit organizations.
What is CPA?
The Colorado Privacy Act (CPA) is a state law that gives consumers the right to know what personal information is being collected about them, why it is being collected, and how it will be used. The CPA also gives consumers the right to control how their personal information is used and to remove their personal information.
Who Should Care?
The CPA applies to any organization that controls or processes personal data regarding 100,000 Colorado consumers or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes the personal data of 25,000 Colorado consumers or more. The CPA defines ‘consumers’ as Colorado residents acting in their individual or household contexts. Excluded from that definition are individuals acting in a commercial or employment context. For nonprofit organizations “consumers” includes donors and visitors to their websites.
What Consumer Rights Are Granted By the CPA?
The CPA grants Colorado consumers various privacy protection rights related to their personally identifiable information, and the opportunity to learn more about the types of data being collected, shared, and sold. These rights include:
- The right to opt out of the sale of personal data.
- The right to opt out of the collection or use of personal data for targeted advertising or various types of profiling.
- The right to know whether an organization is processing or collecting their personal data.
- The right to access personal data an organization has collected.
- The right to delete personal data an organization has collected.
- The right to correct the data an organization has collected.
- The right to download a copy of their personal data.
- The right to transfer their data from one platform to another (up to two times per year).
How Can My Organization Comply with CPA?
To comply with the CPA, organizations must provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a heightened risk of harm to consumers. What qualifies as a “heightened risk” is not clearly delineated, however. Generally speaking, organizations which are subject to the CPA should:
- Update their privacy policy to address the CPA requirements, including the “categories” of personal data processed.
- Update their contracts with third parties (i.e., anyone that “processes” personal data on their behalf) to ensure that they comply with the CPA. The CPA requires that these contracts include (i) processing instructions, including the nature and purpose of the processing; (ii) the type of personal data and duration of the processing; and (iii) obligations to delete or return all personal data at the end of the services period.
- Ensure that they are implementing appropriate physical, organizational and technical cybersecurity safeguards and depending on the nature and use of the data collected, conduct a data-protection assessment.
- Create a process to allow consumers to submit requests and receive information regarding their use of consumers’ personal data. Generally, organizations have 45 days to respond to such requests.
- Provide clear and conspicuous notice of the right to opt out of targeted advertising and sales of personal data.
- Establish the technical specifications of a user-selected universal opt-out mechanism by July 1, 2024.
- Obtain consumers’ informed consent before collecting sensitive data.
- Establish a procedure to determine when to conduct a data protection assessment.
Universal Opt-Out
In an interesting twist, the CPA will make Colorado the first state to explicitly require companies to honor a universal opt-out signal. Starting July 1, 2024, organizations must allow individuals to opt out of targeted advertisements and/or the sale of personal data through a universal opt-out mechanism that meets the technical specifications established by the State Attorney General (AG). I’ll explore this in detail in a future article.
Conclusion
While many of the rights and obligations set forth in the CPA should be familiar to organizations that process personal data, the CPA includes some additional requirements not seen in the other state data privacy laws. These include new consent requirements regarding sensitive data and a universal opt-out, as well as requirements around data processing and data privacy. Organizations should review their data privacy policies and procedures with legal counsel to ensure compliance with the CPA.
