Editor’s Note: Colorado Governor Jared Polis signed SB21-190 into law on July 7, 2021. The Colorado Privacy Act will become operative on July 1, 2023.
With the passage of SB21-190, Colorado is poised to become the third U.S. state—behind California and, most recently, Virginia—to enact a comprehensive consumer privacy law. On June 8, 2021, the Colorado Senate approved House amendments to the bill, which previously sailed through full Senate and House votes with overwhelming approval. The bill will soon be transmitted to Governor Jared Polis for his approval and, if enacted, the Colorado Privacy Act (CPA) will become operative on July 1, 2023.
The CPA tracks closely with the recently-enacted Virginia Consumer Data Protection Act (VCDPA), including by distinguishing between data “controllers” (i.e., businesses that determine the purpose and means of processing personal data) and “processors” (i.e., businesses that process personal data on behalf of a controller), and by prescribing GDPR-like obligations. However, the CPA’s enforcement regime would mark a significant departure from the other state consumer privacy laws, empowering both the Colorado Attorney General (AG) and district attorneys to enforce violations of the Act and prescribing civil penalties of up to $20,000 per violation.
Other key provisions of the CPA include:
Covered Businesses. The CPA would apply to controllers that conduct business in Colorado or produce commercial products or services that are intentionally targeted to Colorado residents and that:
Consumer. The CPA would define a “consumer” as a Colorado resident acting only in an individual or household context. The definition specifically excludes individuals acting in a commercial or employment context, as job applicants, or as beneficiaries of an individual acting in an employment context.
Personal Data. The CPA would define “personal data” as information that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes de‑identified data (which requires controllers to publicly commit to maintaining and using the data in de-identified form and not attempt re-identification) and publicly available data.
Sale. The CPA would define “sale” as the exchange of personal data for monetary or other valuable consideration by a controller to a third party. Exclusions from the definition of “sale” include transfers of personal data to processors, affiliates, or third parties for purposes of providing a product or service that the consumer requested.
Sensitive Data. The CPA separately defines—and imposes specific obligations regarding—“sensitive data”: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (2) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (3) personal data of an individual under 13 years of age.
Targeted Advertising. The CPA would define “targeted advertising” as displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests. It does not include, among other things, advertisements based on activities within a controller’s own websites or online applications or the context of a consumer’s current search query, visit to a website, or online application.
The CPA would grant a consumer the right to access (i.e., confirm whether a controller is processing his or her personal data and access that data), correct, and delete his or her personal data, as well as to obtain the data in a portable format. It would also permit a consumer to opt out of the processing of his or her personal data for purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. A controller that processes personal data for targeted advertising or sale would be required to clearly and conspicuously post an opt-out method in: (1) its required privacy notice (see “Notice” and “Choice” below); and (2) in a readily accessible location outside of the privacy notice.
Until July 1, 2024, controllers that process personal data for targeted advertising or sale would be permitted to allow consumers to exercise their opt-out right by way of a user-selected universal opt-out mechanism that meets the technical specifications set forth in rules that the AG must promulgate by July 1, 2023. Effective July 1, 2024, however, controllers would be required to allow consumers to opt out by such a method. Notwithstanding this, a controller could also enable a consumer to consent to sale or targeted advertising through a web page, application, or similar method, and this consent would take precedence over the universal opt-out mechanism.
The CPA would impose the following obligations on controllers and processors:
Notice. A controller would be required to provide consumers with a privacy notice that includes:
Choice. If a controller sells personal data to third parties or processes personal data for targeted advertising, it would be required to clearly and conspicuously disclose the sale or processing and the manner in which a consumer may opt out.
Sensitive Data. A controller would be prohibited from processing a consumer’s sensitive data without obtaining the consumer’s consent (or, in the case of the personal data of an individual under age 13, his or her parent or guardian’s consent).
Permitted Purposes of Processing. A controller would be permitted to process personal data without restriction for certain specified purposes such as to:
Secondary Uses. A controller would be prohibited from processing personal data for purposes that are not reasonably necessary to, or compatible with, the specified processing purposes, without obtaining the consumer’s consent.
Data Protection Assessments. A controller would be required to conduct and document a data protection assessment (DPA) for each processing activity that presents a heightened risk of harm to a consumer, including targeted advertising, certain high-risk profiling, the sale of personal data, and processing sensitive data. DPAs would have to identify and weigh the benefits of the processing against the potential risks to the rights of the consumer, as mitigated by safeguards the controller could employ to reduce those risks, and the controller would be required make DPAs available to the AG upon request.
Data Security. A controller would be required to take reasonable measures—appropriate to the volume, scope, and nature of the personal data at issue, as well as the nature of the business—to secure personal data from unauthorized acquisition during both storage and use.
Data Processors. Processors would be required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA. For example, the processor would be required to assist the controller by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to consumer requests to exercise their rights and helping to meet the controller’s data security and breach notification obligations in relation to the processing of personal data. The CPA would require a contract between the controller and the processor that sets out the processing instructions to which the processor will be bound, including the nature and purpose of the processing, the type of personal data to be processed, and the duration of the processing. At the controller’s request, the processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
Consumer Appeals. The CPA would require a controller to establish an internal process whereby a consumer may appeal the controller’s refusal to take action on his or her individual rights request, within a reasonable time period after being notified of such refusal. The controller would be required to make the process conspicuously available and as easy to use as the process for submitting a request.
The CPA contains a number of statutory exceptions, including for personal data collected, maintained, and processed in compliance with the Health Insurance and Portability Accountability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, (the CPA would also specifically exempt financial institutions and affiliates subject to the GLBA), the Driver’s Privacy Protection Act, the Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act. It would also exempt air carriers, data maintained for employment records purposes, customer data maintained by public utilities, and data maintained by state institutions of higher education and other government entities, provided that such data is used for non-commercial purposes.
The CPA does not provide for a private right of action, but would instead vest exclusive enforcement authority in the AG and district attorneys, who could bring an action in the name of the state or on behalf of Colorado residents. If the AG or a district attorney deems that a cure is possible, it would be required to issue the controller a notice of violation and give the controller 60 days to cure the violation before bringing an enforcement action. However, this cure period would sunset on January 1, 2025.
The bill states that a violation of the CPA constitutes a deceptive trade practice. Violations would be subject to civil penalties under the Colorado Consumer Protection Act (C.R.S. 6-1-112), which provides for civil penalties of not more than $20,000 per violation.
SB21-190 will soon head to Governor Polis’ desk for approval, and it is widely anticipated that he will sign it.
The Colorado General Assembly is scheduled to adjourn for the year on June 12, 2021. If the bill is transmitted to Governor Polis before that date, he has 10 days (excluding Sundays) to sign or veto the bill, or it becomes law without his signature. If the bill is transmitted to Governor Polis after the legislative session ends, he must act on the bill within 30 days after the last day of the session, or it becomes law without his signature.
Be sure to visit our California Consumer Privacy Act Resource Center for the latest news, webinars, and other resources regarding the U.S. state consumer privacy law landscape.