Third time’s a charm: The Colorado Privacy Act
Aug 10, 2021 5:00:00 AM
Following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), Colorado is the third US State to adopt extensive Data Protection legislation. On 7 July 2021, Governor Polis signed the Colorado Privacy Act which becomes effective in July 2023. The Act grants a set of rights to consumers and imposes obligations on businesses. Its text can be found here: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
The CPA’s application is two-fold: It binds every controller who ‘conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado’ and either (a) controls or processes the personal data of at least 100.00 consumers/year or (b) processes the personal data of at least 25.000 consumers and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
As under the GDPR, the controller is defined as determining the purposes for and the means of the processing while the processor processes the personal data on behalf of a controller.
Consumers are all Colorado residents ‘acting in an individual or household context’ excluding individuals acting in a commercial or employment context. Personal data includes any information that ‘is linked or reasonably linkable to an identified or identifiable individual’ and does not cover de-identified or publicly available information. Data is deemed to be de-identified where it cannot reasonably be used to infer information about an identified or identifiable individual and reasonable measures are taken to warrant the de-identification.
Certain categories of data are per se excluded from the act’s scope. These include among others specific health data and data maintained by financial institutions.
Additionally, obligations imposed on controllers and processors cannot prevent them from complying with other legal obligations, exercising or defending legal claims, providing products or services requested by the consumer or complying with contracts entered with the consumer, protecting vital interests, processing for public interest purposes and some others. Businesses are advised to check this list of exceptions to examine its applicability to their processing activities. However, it should be borne in mind that processing must be limited to this purpose and be ‘necessary, reasonable and proportionate’ to the purpose.
As already known from other Privacy legislation, the CPA contains a list of consumer rights. Businesses must allow consumers to exercise their rights via the method specified in their privacy notice and cannot require consumers to create a new user account solely to exercise their rights.
Firstly, consumers have the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or significant effects concerning the consumer. Before July 1, 2024, a ‘clear and conspicuous method to exercise the right to opt out’ is sufficient. Afterwards, controllers must allow the exercise of this right ‘through a user-selected universal opt-out mechanism’ based on technical specifications established by the Attorney General before this date.
Consumers are further provided the well-known rights of access to their personal data processed, the right to correction of the data, the right to deletion and the right to portability, demanding the provision of the data in a portable and readily usable format allowing to transmit the data to another entity without hindrance.
Consumer rights requests must be answered within 45 days after their receipt unless an extension of another 45 days is reasonably necessary. Controllers must further establish an internal appeal mechanism for consumers to take action if their request has not been followed.
The scope of the consumer rights is more limited when de-identified data is concerned as, among others, the data’s re-identification cannot be demanded.
Duties of controllers
The ‘duties’ imposed on controllers mostly coincide with the ‘principles’ enshrined in the GDPR.
Controllers underlie a duty of transparency demanding the provision of a ‘reasonably accessible, clear and meaningful privacy notice’ that includes the categories of personal data processed, the purposes of the processing, information concerning the exercise of consumer rights as well as which data is shared with which third parties.
The duties of purpose specification and data minimization demand the processing of personal data for a specified express purpose as well as it being ‘adequate, relevant and limited to what is reasonably necessary in relation to the specified purpose’. Secondary use must be avoided. Hence, personal data can only be processed for the previously disclosed purpose unless the consumer’s consent is obtained.
Consent is a ‘clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement’. Consent is invalid where it was obtained by using general and broad terms or a document containing additional, unrelated information, a default option of given consent that must be de-activated by the consumer or through dark patterns.
Controllers further underlie a duty of care demanding reasonable measures to secure the personal data during its storage and use from unauthorized acquisition and a duty to avoid unlawful discrimination through the processing of personal data in violation of anti-discrimination laws.
Lastly, sensitive personal data can only be processed with the consumer’s consent. Sensitive data covers racial, ethnic and religious information, data on health, sexual orientation and citizenship as well as genetic or biometrical data and children’s personal data.
Data Protection Impact Assessments (DPIA)
DPIAs are mandatory for each processing activity that presents a heightened risk of harm to a consumer. These include (but are not limited to) processing for targeted advertising or profiling, the selling of personal data and the processing of sensitive data.
Overall, the CPA aligns well with its US and European counterparts and most of its rights and obligations are already well-known. However, some of its features distinguish the act from other privacy laws, such as its application to non-profit organisations, its lack of a private right of action and its universal opt-out mechanism. Naturally, companies conducting business in Colorado should examine whether their existing compliance mechanisms are in line with the CPA.