Much like states have unique data breach notification laws, more states are passing state-specific regulations related to consumer data privacy. Colorado has become the latest state to pass data privacy legislation, and if your company does business in that state, you could find yourself affected. But what does this entail? What’s required to be compliant, and how might this impact your business? We take a closer look.
What is the Colorado Privacy Act?
After California and Virginia, Colorado passed a data privacy legislation by signing the Colorado Privacy Act (CPA) into law on July 8, 2021. It will take effect on July 1st, 2023. It is created to protect the privacy of the residents of Colorado as it assigns responsibilities to companies operating in the state.
The Colorado Privacy Act applies to Colorado residents and imposes data protection requirements on businesses that:
- Conduct business in Colorado
- Deliver or produce commercial products/services targeted at Colorado residents
- Collect personal data of more than 100,000 consumers per year
- Collect personal data of more than 25,000 consumers and earn revenue or discounts by selling that data
Similar laws have already been passed in Virginia as the Consumer Data Protection Act (CDPA) of 2021 and California as the California Privacy Rights Act (CPRA) of 2020. Businesses that meet the criteria must comply with the regulations in addition to other applicable industry and federal regulations such as the Consumer Financial Protection Act and the EU’s General Data Protection Regulation (GDPR) that aim to improve consumer data protection practices. (There are a few exceptions, which we’ll discuss later in this article.)
Consumer Rights Under the Colorado Privacy Act
The CPA defines consumers as Colorado residents acting in an individual or household context. Personal data is defined as information that relates to an identifiable individual. Individuals in Colorado acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in a commercial or employment context. The CPA does not cover data that has been de-identified or is publicly available.
Businesses need to provide a clear privacy notice to consumers and have data protection policies to protect the personal data they process. Consumers have several rights under the CPA, including the right to opt out of data collection for targeted advertising. The method to opt out must be simple, and a default setting should ensure that they can avoid data processing.
More than this, consumers have the right to access their personal data in a usable format, correct any inaccuracies, and delete their data. When a consumer sends a request to access, edit, or delete their personal data, the concerned entity must respond to their request within 45 days.
Controllers and Processors Working on Personal Data
According to the CPA, a controller is an entity that collects, stores, processes, or uses the personal data of consumers. A processor is an entity that processes the data for the controller. Consumers can opt out of the controller’s processing and can also ask the controller to amend or delete the data.
This act specifies how a controller has to fulfill their duties regarding transparency and handling of consumers’ personal data. It also guides them to avoid secondary use and unlawful discrimination.
Controllers are required to run a data protection assessment for every processing activity that contains personal data with a heightened risk of harm to the consumers. Some examples of such activities include
- earning revenue from targeted advertising;
- selling personal data;
- processing sensitive data; or
- creating a detailed consumer profile.
Local governments cannot adopt laws that control personal data processing by controllers and processors. The opt-out method should be universal, and every resident of the state should be able to opt out easily.
How to Become CPA Compliant
There are similarities among the privacy laws for Colorado, Virginia, and California that allow companies to create a uniform approach to data privacy. Here are some steps that can help you achieve and maintain CPA compliance:
- Confirm that your business meets the jurisdictional boundaries of the Colorado Privacy Act.
- Create a privacy policy to reflect your data processing activities.
- Implement security measures, such as a robust data protection solution, to ensure the personal data you collect doesn’t end up in the wrong hands.
- Conduct regular assessments to evaluate the data processing activities and to estimate the risks associated with them.
- Enable an opt-out mechanism so a user can easily and universally opt out of the data processing activities.
- If your business collects sensitive customer data, you must inform the consumer in clear terms and obtain their consent. Asking consumers to accept general terms is not acceptable.
- Develop a method to honor a consumer’s request to access, correct, or delete their data.
- Develop a training program so the employees responsible for controlling consumer data understand the act and the processes required to implement it.
Apart from this, controllers must conduct regular data protection assessments, and the results should be made available to the Attorney General whenever requested. The Attorney General can evaluate the reports to see if the controller complies with the duties required by the CPA.
Exemptions to the CPA
Not all businesses have to comply with CPA. Organizations that do not collect the personal data of more than 100,000 consumers per year, or those that do not collect the personal data of more than 25,000 consumers for revenue purposes, are exempt from this act. Apart from this, some other businesses are also exempt, including:
- Public utilities
- Airlines
- Businesses covered by the Children’s Online Privacy Protection Act, the recently updated Gramm-Leach-Bliley Act, or Family Educational Rights and Privacy Act
- Government organizations working in Colorado
- Businesses collecting de-identified data
- Higher education institutions
- Consumer reporting businesses
The enforcement of CPA lies with District Attorneys and the Attorney General. The violation of CPA counts as a deceptive trade practice under the Colorado Consumer Protection Act (CCPA).
Conclusion
If you’re collecting the personal data of more than 100,000 consumers per year, or more than 25,000 consumers for revenue purposes, you may need to
- have a clear privacy notice and provide it to consumers;
- allow consumers to review, edit and delete stored personal information;
- allow consumers to opt out of data collection process;
- ensure the data is stored securely;
- conduct regular data protection assessments;
- ensure your employees are properly trained and compliant with the act; and
- implement an effective data protection solution to safeguard personal data.
Data privacy is critical when it comes to conducting business, and the Colorado Privacy Act will have a measurable impact for any business with customers in that state.
