🔮 What’s coming for Data Privacy in 2024? Download our definitive trend guide for exclusive insights
Keep reading to learn more about the Colorado Privacy Act:
‍‍
What these U.S. state laws have in common is the implementation of a notice and opt-out choice regime. A “notice and opt-out choice regime” means that business can process most types of data as long as there is a consumer-facing privacy notice that describes the intended use of data, and the consumer (data subject) is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads).
‍
What makes the Colorado Privacy Act unique?
Like California’s CCPA/CPRA, the CPA is supplemented by a set of regulations. A regulation is a rule or order that is issued by a government agency to implement a law. The Colorado attorney general crafted the CPA regulations with some input from the public, including the business community. Regulations are usually more specific than laws, and they provide guidance on how to comply with the law.Â
The Colorado Privacy Act (CPA) goes into effect on July 1, 2023 and will be enforced by the Colorado Attorney General. It’s notable that certain obligations don’t go into effect until January 1, 2024 and there’s a 60-day right to cure most violations until January 1, 2025.
The CPA applies to companies that conduct business in Colorado and/or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either:
The CPA defines “consumers” to mean Colorado residents acting only in an individual or household capacity. It does not include Colorado residents acting in a commercial or employment capacity.
Key Concepts in the Colorado Privacy Act
Broad definition of personal information
Like most privacy and data protection laws promulgated over the past five years, Colorado has adopted a broad definition of personal information. It is designed to cover pseudonymous personal data (e.g., IP address, Mobile Advertising ID (MAID), Hashed Email (HEM)) and identifiable personal data (e.g., email or postal address, telephone number). There are exemptions for “public” information and “de-identified” data.
‍
Consumer Choice / Consent
Colorado mostly has a notice and opt-out choice regime. That means that you can process most types of data, so long as:
But be careful! Colorado’s guidance requires consent if your use of data is outside the scope of the privacy policy under which the data was initially collected (i.e., a secondary use of data). Also, Colorado requires opt-in consent for the processing of “sensitive information” (see below). Â
Data Subject Access Requests
A data subject access request (DSAR) is a formal request from an individual (the data subject) to a company, requesting a copy of their personal data stored with the company. The CPA provides consumers with the right to see the data that companies have on them (including pseudonymous data, in many instances). Consumers then have the right to correct and/or delete that information.
Sensitive Data
The CPA has created a new category of data called “Sensitive Data.” Sensitive Data is modeled on “special category” data in EU data protection law. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.Â
Colorado requires opt-in consent prior to processing sensitive data. More importantly, the CPA Guidance’s inclusion of inferences and derivative data indicates that “health conditions” and other forms of sensitive data should be construed broadly. Collecting potentially sensitive data will likely require some adjustments to many companies’ data taxonomy and data governance ruleset.
Controller / Processor
The CPA utilizes the GDPR terms for controller (i.e., controls the means of processing) and processor (i.e., takes direction from the controller). Moreover, the CPA requires processors to offer controllers an opportunity to object to the use of sub-processors and provides certain rights for controllers to audit the privacy practices of their processors.
Data Governance
Like some other states, Colorado places guard rails around how companies may process data. The expectation is for companies to only collect data that is absolutely necessary (“data minimization”) and to store it for as little time as possible (“data retention”).
‍
Privacy Impact Assessment
Another concept borrowed from EU data protection law, Colorado requires companies to complete Privacy Impact Assessments (PIAs): systematic evaluations of their data collection and use practices with an eye towards identifying risks and minimizing or eliminating those risks. The Colorado AG’s guidance provides a roadmap for what the AG expects to see within a privacy impact assessment.
‍
Data Processing Agreements
The CPA suggests a data processing agreement (DPA) between controllers and processors. The purpose of a DPA is to outline how the parties plan to ensure that their intra-party data transfers are compliant with privacy laws, and to specify the permitted uses of the data.
‍
While GDPR ushered in a new era of large privacy and compliance fines, a few of the U.S. State Privacy Laws also incorporated some fairly aggressive fine structures. The first CCPA fine was $1.2 million. Fines are often determined by the number of violations–which is often dependent on the number of records in your database. Needless to say, those numbers can add up quickly if you’re working with millions of consumers in one of the states–and the fines typically don’t include legal fees or injunctive relief.
Here’s a thumbnail of the fine structures across various U.S. states, including Colorado:
CPA generally operates under a notice and opt-out choice privacy regime. However, the CPA and CPA Regulations impose an opt-in consent standard where data is used or shared for a “secondary use.” As a result, it’s really important to provide clear and detailed privacy notices–and the privacy notice that data was collected under so as to ensure that you’re not tripping into an opt-in consent standard inadvertently.
The only way to manage data governance across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used [APC1] .
Ketch can automatically crawl and scan your data ecosystem to create and maintain that classification of data labeling metadata so that you can understand, and act on data that’s within the scope of the Colorado privacy regulation.
Your data labels can’t be written in permanent ink. Instead, they need to reflect the rules under which the data subject is operating (which may be subject to change). For that reason, it’s important that your systems are nimble and flexible enough to allow users to change their minds and revoke or modify permissions at any moment.
Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.
Given the amount of time and energy the Colorado AG has dedicated to creating the CPA Regulations, we believe that it is likely that the CPA will be robustly enforced–even during the period where the CPA has a 60 day notice and cure period in place. Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators.
Like many of the other U.S. States, Colorado requires adherence to opt-out requests sent by a “Universal Opt-Out Mechanism” (UOOM). These provisions are not set to go into effect until January 1, 2024. While the Colorado AG will create a list of recognized UOOMs and provide controllers with six months to implement newly added UOOMs. Given the limited timeline for implementation, it would be prudent to say abreast of new UOOMs so as to ensure that you are in position to honor their signals.
Unlike GDPR, the CPA does not require the appointment of a data protection or privacy officer with a legally mandated set of responsibilities. Regardless, it’s still a good idea to have an internal person or team dedicated to ensuring privacy compliance. And bringing in an outside resource such as a privacy lawyer can help you make sure you understand all of your compliance obligations.
Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with Colorado Privacy Act as they exist today, but with any new iterations or copycat statutes introduced by other states.
With the Ketch Trust by Design Platform, you can:
When you automate these processes, you enable your internal stakeholders:Â
