In a growing trend, states around the nation are passing or considering their own data privacy laws. The Colorado Privacy Act (CPA, or “the Act”) will make Colorado the third state to pass major data privacy legislation.  This expanding web of similar, but distinct state laws will continue to drive discussions about the need for a federal privacy law.

Colorado’s privacy legislation is effective July 1, 2023. The Act echoes the provisions of GDPR (the European Union’s General Data Protection Regulation), Virginia Consumer Data Privacy Act (effective January 1, 2023), California’s Consumer Privacy Act (now in effect), and California’s Privacy Rights Act (effective January 1, 2023).

What does the CPA do?

The CPA grants various rights to consumers:

  • To “confirm” the personal data being processed by a business
  • To obtain a copy of that data and be able to move it (data portability)
  • To request a business delete their personal data
  • To correct inaccuracies in their personal information
  • To opt-out of the processing of their personal data for targeted advertising, sale, or consumer profiling

What does the CPA require?

The Act requires covered businesses:

  • To collect personal information only for a specific purpose
  • To limit the amount and kind of personal information collected to that which is adequate, relevant, and reasonably necessary to fulfill the specified purpose
  • Not to use the personal information for a purpose not reasonably necessary to or compatible with the specified purpose for which the personal data are processed
  • To provide a privacy notice to consumers
  • To establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data
  • To conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers

Who does the CPA cover?

A covered entity is defined as a business that:

Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and satisfies one or both of the following thresholds: (i) controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or (ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.

S.B. 21-190, 70th Gen. Assemb., Reg. Sess. (Co. 2021)

“Conducting business in Colorado” in the age of e-commerce can mean simply operating a website that serves Colorado residents. Therefore, if a business has a website that processes personal information of at least 100,000 Colorado residents and is not subject to an exemption, it will fall under the statute and will need to comply.

Who is exempt from CPA coverage?

Several groups of businesses are exempt from CPA, including those who fall under HIPAA or Gramm-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and government entities in Colorado. We will have more information in future updates on exceptions for these industries.

What kinds of “personal data” are covered by the CPA?

The Act defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” It does not include de-identified or publicly available data. Notably, the Act excludes an “individual acting in a commercial or employment context,” from the “consumers” protected by the Act. In other words, personal data applies almost strictly to consumer data and not to business-generated or employment data.

The Act further defines “sensitive data” as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and information from a known child.

Business-to-business communications and contacts are specifically carved out, focusing instead on consumer-driven data collection.

What Steps Can a Business Take Now?

All businesses, especially those operating nationally, should analyze their data footprints and take steps toward compliance with the new laws in Colorado and Virginia and with California’s enhanced privacy protections. Rather than wait for July 1, 2023, contact the Woods Rogers Cybersecurity & Data Privacy Group now to begin making a compliance timeline and plan.