Colorado Privacy Act (CPA): What is it?

What is the Colorado Privacy Act?

This week, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California's two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia's recently passed Consumer Data Protection Act (CDPA). It even borrows some terms and ideas from the EU's General Data Protection Regulation.

While there are similarities, such as some form of a right to opt-out, special protections for sensitive data and the adoption of some privacy-by-design principles, the significant differences are in the details. That's according to Kirk Nahra, a longtime privacy attorney and co-chair at Wilmer Hale. 

The CCPA (California), CPRA (California) and CPA (Colorado) define "sensitive data" differently, for example. "Companies will need to take into account these details to reach compliance," Nahra said. 

Who must comply with the Colorado Privacy Act?

The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

What consumer rights does the CPA grant?

The CPA lists five rights granted to Colorado residents once the law becomes effective. They are: 

• The right to opt-out of targeted ads, the sale of their personal data or being profiled. 
• The right to access the data a company has collected about them. 
• The right to correct data that's been collected about them. 
• The right to request the data collected about them is deleted. 
• The right to data portability (that is, the right to take your data and move it to another company). 

Who is exempt from the CPA?

The law includes exemptions for a broad range of purposes.

"Small businesses definitely are treated differently than larger businesses," said Nahra. "In fact, like the laws in Virginia and California, many small businesses are exempted entirely ... These exemptions are a big part of this law." 

Calli Schroeder, global privacy counsel at EPIC, said the bill has some good elements, but there are places it needs improvement. Specifically with some of the other exemptions. 

"The list of exemptions is long – exemptions for air carriers, exemptions for employment records, exemptions for information held by higher education or the state, and exemptions for customer data of public utilities (which includes common carriers/telecommunications companies)." 

There are 17 blanket exemptions within the law, noted Amie Stepanovich, executive director of Silicon Flatirons at Colorado University Law School. Those include: 

• If the data was collected for Colorado health insurance law purposes. 
• If the entity collecting the data or the data collected is already covered by certain sectoral laws, including the Children's Online Privacy Protection Act or the Family Educational Rights and Privacy Act. 
• If the data has been de-identified or pseudonymized. 
• If the data is being maintained and used by a consumer reporting agency. 
• If the data is being used for employment records purposes. 
  
  

In part because of the long list of exemptions, Stephanovich said the bill contains "some good stuff," but "I really don't think this is the gold standard, and I hope we keep seeing better from other states."

Where privacy advocates and others are more fond of the CPA are the requirements that data controllers:

• Practice data minimization. 
• Avoid secondary uses of data.
• Provide a privacy policy. 
• Obtain opt-in consent before processing children's data.
• Conduct data protection impact assessments for processing that could be considered "high risk."  

However, Schroeder would like to see the requirement on data protection impact assessments include transparency provisions. 

 "Mandating data protection assessments for high-risk activities is an excellent step, but they are not allowed to be made public, which hampers real accountability," she said. 

Privacy advocates also broadly welcome the law's call for global privacy control, a mechanism that would allow Colorado residents to opt-out of data processing by any website. California's privacy laws, the CCPA and the CPRA, also call for a universal opt-out mechanism.

It's a trend that could continue in forthcoming state legislation. Schroeder said that's important because, "It is unrealistic to expect that internet users are going to take multiple steps to separately opt-out of data disclosure on every website they visit. Global opt-out mechanisms will simplify the opt-out process but are only effective if enforceable."

Who will enforce the CPA? 

The Colorado Attorney General's Office will enforce the CPA, which differs from California's latest privacy law, the CPRA. There, a newly established privacy protection agency will issue guidance and enforce. 

But unlike California's laws, there is not a private right of action within the CPA. A private right of action allows consumers to file a lawsuit under certain circumstances, such as a breach of personal information. 

"This has been a sticking point for advocacy groups," said Nahra. "It was one of the major points of contention that effectively ended any chance of the Washington Privacy Act making it out of the legislature this year and has also been an issue in the national privacy debate in Congress. It will be interesting to see if other states are willing to pass a privacy law without a private right of action, under the notion that some privacy protections are better than no law at all."

Some see this is as a mistake, arguing that companies won't take their obligations seriously if there isn't the looming threat of a lawsuit in cases of noncompliance. 

"Without giving individuals the ability to vindicate their rights, companies will assume there is a low risk of enforcement, and the effort that went into enacting a privacy law will be wasted," Schroeder said. 

What should my company do first?

Nahra said companies that already are complying with California or Virginia have a head start. 

"If you believe that you are subject to the Colorado law, the first step overall is data mapping," he said. "Understanding what data you collect, where it comes from and who it belongs to will help companies understand their relevant legal obligations, not only under the Colorado Privacy Act, but also under the California Privacy Rights Act and Virginia's Consumer Data Protection Act."

In the end, Schroeder agreed with Stepanovich that the bill does some good, but more is needed. 

"While there are some important provisions in the bill that will provide privacy protections, the Colorado law is far from what states need to be doing in order to change the business practices that are eroding individual privacy and harming our communities," she said.