Colorado Enacts Comprehensive Consumer Privacy Law

On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by an Orrick Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).

Highlights of the CPA include:

• Applicability. The CPA applies to entities conducting business or producing products or services intentionally directed at Colorado residents that either “control or process personal data of more than 100,000 consumers per calendar year” or earn “revenue … from the sale of personal data and process or control the personal data of [25,000] consumers or more.” Notably exempt from coverage are financial institutions and their affiliates, as well as personal data “collected, processed, sold, or disclosed pursuant to the Federal ‘Gramm-Leach-Bliley Act’ … if the collection, processing, sale, or disclosure is in compliance with the law.” In addition, “personal data governed by listed state and federal laws, listed activities, and employment records,” certain protected health information, and data maintained by a public utility are exempt from the CPA. Further, certain rights do not apply to pseudonymous data (defined as “personal data that can no longer be attributed to a specific individual without the use of additional information”), provided the controller can show that the identifying information is kept separate and is subject to controls intended to prevent the controller from accessing the data. Notably, a “consumer” is defined to exclude an individual acting in a commercial or employment capacity, including job applicants or beneficiaries of someone acting in an employment capacity.
   
• Consumer rights. Under the CPA, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” Controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. The CPA makes clear that consent does not include (i) acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (ii) hovering over, muting, pausing, or closing a given piece of content; or (iii) agreement obtained through dark patterns. 
   
• Controller responsibilities. Among the CPA’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) providing purpose specification, minimizing the collection of personal data, and avoiding secondary use; (v) taking reasonable measures to secure personal data during storage and preventing unauthorized acquisition; and (vi) avoiding unlawful discrimination. Controllers must also conduct data protection assessments for all processing activities involving personal data where there is a heightened risk of harm.
   
• Data processing agreements. The CPA stipulates that processors must follow a controller’s instructions, help meet the controller’s obligations concerning the processing of personal data, and provide assistance with data protection assessments in the event of a data breach. Processors may only engage a subcontractor after providing a controller with the opportunity to object, and subcontractors must meet the processor’s obligations with respect to personal data. Additionally, processors must allow and assist with reasonable audits and inspections by the controller or an auditor designated by the controller.
   
• Private right of action and state attorney general rule writing and enforcement. The CPA does not provide a private right of action to consumers. Instead, the Colorado state attorney general may bring actions for violations of the CPA and impose penalties (a violation of the CPA will be considered a deceptive trade practice). Before initiating such action, the attorney general or district attorney may grant the controller 60 days to cure the violation. The cure provision, however, is set to expire January 1, 2025. Additionally, the attorney general will also promulgate rules that “detail the technical specifications for one or more universal opt-out mechanisms,” and may issue opinion letters and interpretive guidance that will have an effective date of July 1, 2025. The CPA also empowers the attorney general to access and evaluate a company’s data protection assessments.
   
• Preemption. The CPA preempts all local laws, ordinances, resolutions, and regulations regarding the processing of consumers’ personal data.

The CPA takes effect July 1, 2023, with certain opt-out provisions taking effect July 1, 2024.

If you have any questions regarding the Colorado Privacy Act, please visit our Cyber, Privacy & Data Innovation practice page or contact an Orrick attorney with whom you have worked in the past.