What You Should Know About the Colorado Privacy Act

The Colorado Privacy Act (CPA) will come into force on July 1, 2023. When the law was signed on July 7, 2021, Colorado became the third state to pass consumer privacy legislation, preceded only by California and Virginia.

What is the CPA?

The CPA is a consumer privacy law that provides Colorado residents with rights over the way their data is collected and processed by organizations. Similar to other US legislation, including the Connecticut Data Privacy Act which also comes into force from July 1, these rights include:

• Right to access — Consumers have a right to access their personal data.
• Right to correction — Consumers have a right to correct inaccuracies in their personal data.
• Right to delete — Consumers have the right to delete or request deletion of their personal data.
• Right to data portability — Consumers have the right to request a copy of their data to transfer to another entity, in a readily readable/transferrable format.
• Right to opt out — Consumers can opt out of the collection and processing of their personal data for targeted advertising, sale or profiling for decision-making purposes.

The CPA also includes a right to appeal when businesses do not respond to a consumer request within 45 days (or an extended deadline of 90 days when reasonably necessary). Organizations must implement a straightforward appeals process for consumers.

Who needs to comply with the CPA?

The CPA applies to individuals and companies doing business in Colorado or producing products or services for its residents. There is no revenue limit affecting applicability, and the law applies if entities either:

• Control or process the personal data of 100,000 or more consumers annually, or
• Derive revenue from the sale of personal data and control or process data of 25,000 or more consumers.

The CPA does not apply to specific types of entities, including state and local governments, state institutions of higher education, personal data governed by defined state and federal laws, listed activities, or employment records.

How do organizations comply with the CPA?

Individuals and companies covered by the act must meet several obligations to comply. These include:

• A duty of transparency explaining to consumers in a privacy notice the types of data they process and why, whether they share the data with any third parties and what they share. The notice also needs to explain how consumers can exercise their data rights and how they can opt out, where applicable.
• A duty of purpose specification requiring data controllers to specify the “express purposes for which personal data are collected and processed.”
• A duty of data minimization of personal data to that necessary to fulfil the specific purpose.
• A duty to avoid secondary use of personal data beyond that of the specific purpose.
• A duty of care to protect and secure the data using appropriate security measures.
• A duty to avoid unlawful discrimination of consumers when processing their information.
• A duty regarding sensitive data whereby consumers must consent to sensitive data processing, which must be “freely given, specific, informed, and unambiguous.”

Organizations must also perform data protection assessments for all its processing activities to identify and manage any that may present a “heightened risk of harm” to a consumer. Further, for controllers outsourcing data processing, a contract must be in place between controllers and processors.

The CPA is enforced by both the state attorney general and district attorneys. Failure to address violations or complaints within 60 days may lead to further penalties. These are governed by the Colorado Consumer Protection Act, and noncompliant entities could be fined up to $20,000 per violation.

Where should organizations start?

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Colorado residents.

Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and enables rapid identification and remediation of more than 300 personal data types across on-premises and cloud-based systems.

To find out how Enterprise Recon can enhance your CPA compliance efforts, book a call with one of our experts today.