CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
June 26, 2023
As the third state to pass a data privacy law, Colorado served as a bellwether of things to come in U.S. privacy law. Naturally, Colorado has its own unique spin on comprehensive data privacy legislation, which can make compliance tricky.
We’ll dive into the specifics of the Colorado Privacy Act (CPA) in this blog, including what it has in common with other state laws and where it differs.
The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to the California Privacy Rights Act (CPRA), Virginia's Consumer Data Protection Act (CDPA), and other state laws. It even borrows some terms and ideas from the EU's General Data Protection Regulation (GDPR).
While there are similarities, such as some form of a right to opt out of data collection and processing, special protections for sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details. That's according to Kirk Nahra, a longtime privacy attorney and co-chair at Wilmer Hale.
The CPRA (California) and CPA (Colorado) define "sensitive data" differently, for example. "Companies will need to take into account these details to reach compliance," Nahra said. We’ll walk through the CPA’s definition of sensitive data, among its other requirements, below.
The CPA features a number of requirements that will be familiar to those who have had to become compliant with other data privacy laws.
Businesses need to provide notice to consumers that explains what data they collect and process, why, how consumers can exercise their rights, what data they share with third parties, who those third parties are, whether they sell data to third parties, and a how consumers can opt out of the sale or processing of data for targeted advertising.
Generally, the Colorado data privacy law requires opt-out consent; that is, businesses can collect and process data so long as they inform consumers (as described above) and give them a means of opting out of that collection and processing.
However, businesses need to collect opt-in consent (which requires consumers to make some affirmatory signal before collection and processing of personal data begins) under certain circumstances. A parent or guardian must give opt-in consent before businesses can collect and process data for children under 13. If the business wants to use personal data for a second purpose beyond what it described in its original notice, opt-in consent is again required. And lastly, the business must secure opt-in consent for sensitive data, which includes:
Businesses must also conduct data protection assessments before processing activities that may present a heightened risk to the consumer. That could be targeted advertising or profiling, selling data, processing sensitive data, and other activities.
While there are many other requirements like the need to comply with purpose specification and data minimization, one of the major features of the law is the need to comply with data subject access requests (DSARs).
Data privacy laws give consumers certain rights they may choose to exercise; when they do, it’s called a DSAR. Businesses have 45 days to respond to a DSAR, or request a 45-day extension for high-volume and/or complex requests.
The CPA lists five rights granted to Colorado residents once the law becomes effective. They are:
Colorado’s privacy law applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
One would think that when a data privacy regulation is signed into law, then that’s the end of it—barring any future amendments, of course.
In reality, the legislative process involves further steps. The initial bill serves more as a framework for administrators and agencies to develop further in a process known as rulemaking. When it comes to data privacy law, rulemaking can make important clarifications to a given law.
For the Colorado data privacy law, rulemaking has concluded, and businesses subject to the CPA have much-needed guidance on a number of previously unclear requirements. Here’s a non-exhaustive list:
Note that the above doesn’t represent the whole spectrum of CPA rulemaking. You can find the full list of CPA rules on the Colorado Attorney General’s website.
The law includes exemptions for a broad range of purposes.
"Small businesses definitely are treated differently than larger businesses," said Nahra. "In fact, like the laws in Virginia and California, many small businesses are exempted entirely ... These exemptions are a big part of this law."
Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), said the bill has some good elements, but there are places it needs improvement, specifically with some of the other exemptions.
"The list of exemptions is long—exemptions for air carriers, exemptions for employment records, exemptions for information held by higher education or the state, and exemptions for customer data of public utilities (which includes common carriers/telecommunications companies)."
There are 17 blanket exemptions within the law, noted Amie Stepanovich, executive director of Silicon Flatirons at Colorado University Law School. Those include:
The Colorado Attorney General's Office enforces the CPA, which differs from how the CPRA is enforced. In California, a dedicated privacy protection agency issues guidance on the law and enforces it. California is very much the exception, however; most states only have enforcement via the Attorney General’s office.
Similarly, there is not a private right of action within the CPA. A private right of action allows consumers to file a lawsuit under certain circumstances, such as a breach of personal information.
"This has been a sticking point for advocacy groups," said Nahra. "It was one of the major points of contention […] in the national privacy debate in Congress. It will be interesting to see if other states are willing to pass a privacy law without a private right of action, under the notion that some privacy protections are better than no law at all."
Some see this as a mistake, arguing that companies won't take their obligations seriously if there isn't the looming threat of a lawsuit in cases of noncompliance.
"Without giving individuals the ability to vindicate their rights, companies will assume there is a low risk of enforcement, and the effort that went into enacting a privacy law will be wasted," Schroeder said.
Another unique feature of the Colorado data privacy law is its fine structure. Other state laws might fine a business $2,000 or so for each individual violation (which can build up pretty fast, as every instance of nonconsensual data processing counts as an offense). The CPA, however, levies a whopping $20,000 per offense!
Fortunately, there’s a silver lining. The reason why the CPA has such a harsh penalty is because each CPA violation is treated as a deceptive trade practice under another Colorado law: the Colorado Consumer Protection Act.
Although the Colorado privacy law penalizes deceptive trade practices at $20,000 per offense, it caps penalties at $500,000. So, relatively minor offenses of the Colorado data privacy law will hurt more than they would in other states, but businesses aren’t likely to rack up the multi-million-dollar fines possible in jurisdictions like California or the EU.
Nahra said companies that already are complying with California or Virginia have a head start.
"If you believe that you are subject to the Colorado law, the first step overall is data mapping," he said. "Understanding what data you collect, where it comes from and who it belongs to will help companies understand their relevant legal obligations, not only under the Colorado Privacy Act, but also under the California Privacy Rights Act and Virginia's Consumer Data Protection Act."
In the end, Schroeder agreed with Stepanovich that the bill does some good, but more is needed.
"While there are some important provisions in the bill that will provide privacy protections, the Colorado law is far from what states need to be doing in order to change the business practices that are eroding individual privacy and harming our communities," she said.
Rachael Ormiston is the Head of Privacy at Osano. With over 15 years of professional experience, she has deep domain expertise in Global Privacy, Cybersecurity, and Crisis and Incident Response. Rachael is an IAPP FIP and has previously served on the IAPP CIPM Exam Development board. She has a personal interest in privacy risk issues associated with emerging technologies.