The regulatory landscape for data privacy in the United States is complex and rapidly evolving, with a patchwork of federal, state, and industry-specific laws and regulations governing the collection, use, and sharing of personal data. While there is currently no comprehensive federal data privacy law in the US, several states have taken steps to enact their own privacy laws, with others expected to follow suit in the coming years.
Colorado Privacy Act
The Colorado Privacy Act (CPA) is a data privacy law that was signed into law in Colorado in July 2021 and will go into effect on July 1, 2023. The CPA is one of the most stringent data privacy laws in the United States and follows in the footsteps of other state-level privacy laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA).
The CPA is a significant addition to this regulatory landscape, and businesses that collect, use, and share personal data in Colorado will need to ensure they are in compliance with the law’s requirements. The law’s focus on data security, consumer rights, and transparency reflects a growing trend among lawmakers to prioritize data privacy and protect consumers’ personal information.
Key Provisions of the Colorado Privacy Act
Applicability
The CPA applies to businesses that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and that meet certain thresholds related to revenue or data processing. Specifically, the CPA applies to businesses that:
- Control or process the personal data of 100,000 or more Colorado residents per year, or
- Derive revenue from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents per year.
It’s worth noting that the CPA’s applicability is broader than that of other state data privacy laws, such as the California Consumer Privacy Act (CCPA).
Data subject rights
The CPA grants Colorado residents certain rights with respect to their personal data. These rights include:
- The right to know what personal data a business is collecting about them.
- The right to request that a business correct inaccurate personal data.
- The right to request that a business delete their personal data (with some exceptions).
- The right to obtain a copy of their personal data in a portable format.
- The right to opt-out of the sale of their personal data.
The CPA requires businesses to establish processes for responding to data subject requests and to provide certain information to data subjects when collecting their personal information, such as the purposes for which the data will be used and the categories of third parties with whom the data will be shared.
Data protection obligations
The CPA imposes various obligations on businesses with respect to the protection of personal data. These obligations include:
- Implementing reasonable security measures to protect personal data from unauthorized access, destruction, use, modification, or disclosure.
- Conducting regular risk assessments to identify potential security risks to personal data.
- Obtaining consent from data subjects before processing sensitive data, such as data related to race, ethnicity, religion, health, or sexual orientation.
- Developing and implementing policies and procedures for the retention and disposal of personal data.
The CPA also requires businesses to notify data subjects and the Colorado Attorney General in the event of a data breach that affects the personal data of Colorado residents.
Data processing agreements
The CPA requires businesses to enter into contracts with third-party service providers that process personal information on their behalf. These contracts, known as “data processing agreements,” must include certain provisions related to data security and the rights of data subjects. Specifically, data processing agreements must require service providers to:
- Implement appropriate security measures to protect personal data.
- Notify the business of any data breaches.
- Delete or return personal data to the business upon termination of the agreement.
- Allow the business to audit the service provider’s compliance with the agreement.
Enforcement
The CPA grants the Colorado Attorney General the authority to enforce the law and to bring civil actions against businesses that violate its provisions. The CPA also provides for a private right of action for data subjects in certain circumstances. Specifically, data subjects may bring a civil action against a business if the business fails to comply with a data subject request or if the business violates the CPA in a way that causes the data subject harm. The CPA also provides for a “cure period” during which businesses can correct violations before facing enforcement actions or civil suits.
Impact of the Colorado Privacy Act on non-profit organizations
First, it’s important to note that the CPA defines a “business” as a legal entity that collects, processes, or sells personal data of Colorado residents and that meets certain revenue or data processing thresholds. However, the CPA specifically excludes non-profit organizations from the definition of “business,” meaning that non-profits are not subject to the CPA’s requirements unless they engage in certain commercial activities.
Specifically, the CPA only applies to non-profits if they meet one or more of the following criteria:
- The non-profit has annual gross revenue in excess of $25 million;
- The non-profit annually buys, sells, or receives or shares for commercial purposes, alone or in combination, the personal data of 100,000 or more consumers, households, or devices; or
- The non-profit derives 50% or more of its annual revenue from selling personal data.
- If a non-profit meets any of these criteria, it will be subject to the CPA’s requirements with respect to the personal data it processes in connection with those commercial activities.
However, even if a non-profit does not meet these criteria, it is still subject to certain provisions of the CPA related to data security and breach notification. Specifically, the CPA requires all entities, including non-profits, to implement reasonable security procedures and practices to protect personal data and to notify affected individuals in the event of a data breach.
In terms of penalties, the CPA provides for fines of up to $20,000 per violation for any entity that violates its provisions. However, the CPA specifies that non-profits will not be subject to the maximum fines unless they engage in willful and intentional violations of the law. Instead, fines for non-profits will be based on the nature, scope, and gravity of the violation, as well as the organization’s financial condition and other factors.
It’s important to note that the CPA’s exemptions for non-profit organizations are based on the activities that the organization engages in, rather than its legal or tax status. Therefore, whether a non-profit organization is exempt from the CPA will depend on the nature of its activities and whether those activities meet the thresholds set by the law.
Importance of the Colorado Privacy Act
The Colorado Privacy Act (CPA) stands out among other state data privacy laws in several ways, and for several reasons is considered one of the most stringent data privacy laws in the United States.
- Broader applicability: The CPA applies to businesses that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and that meet certain thresholds related to revenue or data processing. This is broader than the applicability of other state data privacy laws, such as the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), which apply only to businesses that meet certain revenue or data processing thresholds.
- Sensitive data: The CPA includes specific provisions related to the processing of sensitive data, such as data related to race, ethnicity, religion, health, or sexual orientation. The CPA requires businesses to obtain explicit consent from data subjects before processing such data, which is more stringent than the requirements of other state data privacy laws.
- Private right of action: The CPA provides for a private right of action for data subjects in certain circumstances, which allows individuals to sue businesses for violations of the law. This is different from other state data privacy laws, such as the CCPA and VCDPA, which do not provide for a private right of action except in the case of data breaches.
- Opt-out of targeted advertising: The CPA requires businesses to provide Colorado residents with the ability to opt out of targeted advertising based on their personal data. This is different from other state data privacy laws, which do not specifically require businesses to provide an opt-out for targeted advertising.
- Higher penalties: The CPA imposes higher penalties than other state data privacy laws for violations of its provisions. Specifically, businesses can be fined up to $20,000 per violation, with no cap on total penalties. This is higher than the penalties under the CCPA and VCDPA.
- Data processing agreements: The CPA requires businesses to enter into contracts with third-party service providers that process personal information on their behalf. These contracts, known as “data processing agreements,” must include certain provisions related to data security and the rights of data subjects. This requirement is similar to the requirements of the GDPR, which is the data privacy law that governs the European Union.
Preparing for the Colorado Privacy Act
With the July 1st enforcement date approaching quickly, organizations should be proactive and start putting together a comprehensive plan to achieve compliance.
- Identify and categorize data: The first step for businesses is to identify and categorize the personal data they collect, process, and store. This includes determining what data is sensitive and requires explicit consent from data subjects for processing, such as data related to race, ethnicity, religion, health, or sexual orientation. This will help businesses determine which provisions of the CPA apply to their operations and ensure they are in compliance with the law.
- Develop data processing agreements: Businesses must ensure they have contracts in place with third-party service providers that process personal data on their behalf. These contracts, known as “data processing agreements,” must include certain provisions related to data security and the rights of data subjects. Businesses must review and update their existing contracts to ensure compliance with the requirements of the CPA.
- Establish policies and procedures: Businesses should establish policies and procedures that govern how they collect, process, store, and protect personal data. These policies and procedures must be consistent with the requirements of the CPA, and businesses should conduct regular audits to ensure compliance.
- Train employees: Businesses must train their employees on the requirements of the CPA and ensure they are familiar with the policies and procedures in place. This includes training on how to respond to data subject requests and how to report data breaches.
- Implement data subject request processes: Businesses must establish processes for responding to data subject requests, including requests to access, correct, or delete personal data. These processes must be consistent with the requirements of the CPA and businesses must respond to requests within the timeframes specified in the law.
- Conduct regular risk assessments: Businesses must conduct regular risk assessments to identify and mitigate potential data privacy and security risks. This includes identifying vulnerabilities in their systems and processes and taking steps to address them.
By taking these steps, businesses can prepare for the enforcement of the Colorado Privacy Act and ensure they are in compliance with the law. It is important for businesses to stay informed about any updates or changes to the law and adjust their policies and procedures accordingly.
