Controllers' Responsibilities Under the Colorado Privacy Act

Starting July 1, 2023, the Colorado Privacy Act (CPA) mandates specific privacy safeguards for Colorado inhabitants. In addition, it demands that certain businesses, referred to as "controllers," who operate in Colorado or actively pursue Colorado residents, implement these protections. Colorado is following the footsteps of several other states, including California, Virginia, Utah, and Connecticut, in establishing comprehensive data privacy safeguards for its citizens. Additionally, various state-level privacy bills are advancing through the committee stage.1 The current patchwork approach stems from the absence of federal legislation that covers data privacy entirely.

Although several reasons exist for the lack of progress toward enacting comprehensive federal data privacy legislation, two significant factors stand out. First, the States and federal government disagree over if the federal data privacy legislation will invalidate the state's data privacy laws. This would include the CPA. The second is whether there should be a private right of action to enforce violations of the proposed statute. Notably, the CPA does not provide for a private right of action, which means that individuals or organizations cannot sue a business for breaching the CPA.

Instead, enforcement authority rests with the Colorado Attorney General and district attorneys, who may seek injunctive relief to stop a business from engaging in conduct that breaches the CPA or obtains monetary damages for such violations. Although this article offers a broad outline of controllers' responsibilities before the CPA becomes effective this summer, individual controllers and entities subject to the Act should seek the advice of an attorney knowledgeable about the CPA and the specific data environment applicable to their organization.

Colorado is adopting an incremental approach to implementing the CPA and is working on the third edition of its proposed draft rules.2 Although it is reasonable to assume that the rules will align with the previously suggested ones, the precise definitions and requirements are subject to change. To date, the consistency among all versions has been the description of "controller" and how the Act pertains to this distinct group. The CPA applies to controllers who engage in business in Colorado or manufacture or provide commercial products or services that intentionally target Colorado residents and who also:

(1) manage or handle the personal data of at least 100,000 consumers in a given calendar year, or

(2) earn income or obtain a discount on goods or services by selling personal data and managing or handling the personal data of 25,000 or more consumers.

Contractors, service providers, and vendors who maintain, oversee, or provide services pertaining to personal data must also follow the CPA. This includes cloud providers who are working on behalf of controllers. Equally significant are the entities that are exempted from the Act. The CPA excludes certain types of entities from adhering to its provisions, even if they satisfy the definition of a controller under the Act. Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act, air carriers subject to Federal Aviation Administration regulations, and national securities associations registered under the Security Exchange Act are examples of these exempt entities.4 Additionally, this also applies to personal data secured by following federal privacy laws. This includes the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA).

Businesses that must comply with California's Consumer Privacy Act (CCPA) regulations will observe that the CPA lacks a financial threshold akin to the CCPA, which starts at an annual gross income of $25 million.

Controllers under the CPA face numerous obligations. The present version of the CPA's rulemaking runs to 47 pages, encompassing a broad range of topics such as transparency in privacy notifications and the requirements for secure consumer data storage. As a rule, controllers of consumer data are mandated to “be transparent about how they collect, store, use, share, and sell personal data, and clearly identify the purpose for which they do so."5 Section 6.02, named "Privacy Notice Principles," stipulates the principles that controllers need to adhere to when issuing privacy notices to consumers, which includes the provision of such notices “with a meaningful understanding and accurate expectations of how their personal data will be processed."6

Furthermore, the privacy notices must be easily noticeable and include information on the categories of personal data that the controller shares or sells to third parties, if any. The notice should also adequately describe the third parties to provide consumers with a clear understanding of the entity, such as data brokers, analytics companies, third-party advertisers, payment processors, or government agencies. Lastly, any significant changes to the privacy notice must also be communicated to the consumers. Although this section outlines the controllers' responsibilities regarding privacy notices, it is not exhaustive. Thus, controllers are advised to consult their legal counsel to review the current version of CPA to prepare for the law's implementation in the summer of 2023.

The Duty of Care provision of the CPA mandates certain requirements controllers must comply with that “ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of personal data collected, stored, and processed [are in place]."7 Controllers must comply with the Duty of Care section of the CPA when processing personal data. The enforceability of this section depends on whether the data security practices used by the controller were reasonable. In determining reasonableness, controllers must take into account factors such as:

1. Pertinent industry standards

2. Intricacy, nature, and size of the organization

3. Sensitivity and volume of personal data

4. Risk of harm to consumers resulting from unauthorized access

5. Expense or burden of protections to safeguard personal data from harm

To summarize, controllers should implement reasonable safeguards to protect consumer data from unauthorized access, accidental loss, destruction, or damage.

Part 7 of the Draft Rules outlines the importance of obtaining valid consumer consent and the corresponding responsibilities for controllers under the CPA. Rule 7.02 states that before processing a consumer's sensitive data, a controller must obtain valid consent from the consumer. The Act defines sensitive data as data that reveals an individual's racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.8 If a controller processes the data of a known child, valid consent must be obtained from a parent or lawful guardian. Additionally, a consumer must provide valid consent if they have exercised opt-out rights and the controller wants to sell the data or process the data for targeted advertising. If the purpose of processing the personal data is not reasonably necessary or aligns with the initial purpose the controller communicated to the consumer, valid consent must be obtained.

Obtaining valid consent from consumers under the CPA significantly differs from the current practices of many companies in the data privacy environment. Per the CPA, consent cannot be obtained through consumer inactivity, pre-ticked boxes, silence, or a blanket acceptance of terms and conditions. Valid consent depends on many different factors, including the timing of the request, user interface design, the consumer’s age, and the use of dark patterns. Therefore, controllers need to assess their existing privacy and data practices and procedures and ensure compliance with the emerging regulatory requirements under the CPA for consent to avoid potential legal consequences. Factors include the timing of the request, user interface design, the consumer’s age, and the use of dark patterns. 

The CPA also empowers the Attorney General to request Data Protection Assessments, which controllers must undertake before processing data that poses a heightened risk of harm to consumers, such as processing sensitive personal and consumer data for targeted advertising. The assessments should evaluate the benefits of processing such data against consumer rights risks. The amount and sensitivity of the processed data along with the size of the controller should direct the amount of detail and scope of these assessments.9 Part 8 of the CPA outlines the elements that should be included in a Data Protection Assessment, along with its required scope, stakeholder participation, and timing. Additionally, controllers must make these assessments available to the Attorney General within 30 days of the request.

As previously noted, enforcement of the CPA is the responsibility of the Colorado Attorney General's office and state district attorneys since the Act does not allow for a private right of action. This means that individuals cannot seek monetary damages or an injunction if a controller's actions have violated their rights under the CPA. However, controllers may still face substantial fines. Each violation of the CPA can receive a civil penalty of no more than $20,000. These penalties are sought by either a district attorney or the Colorado Attorney General, per the Colorado Revised Statutes Section 6-1-112. The CPA also includes a cure provision, allowing controllers to correct violations. The enforcement authorities have the discretion to determine whether a cure is possible, and a notice of cure is not required if no remedy is feasible. The cure provision will expire on January 1, 2025.10 The Colorado Attorney General's office and district attorneys are making the specific rules they will reference when enforcing the CPA public. These rules will be adopted before the Act's rollout on July 1, 2023.

The disjointed approach to data privacy, reflected in the Colorado Privacy Act, is expected to persist in the United States for the foreseeable future. In this environment, businesses must remain vigilant and aware of the evolving regulatory landscape. They need to understand the states and countries in which they operate, the data they collect, how it is processed and used, and the security measures to protect it. Controllers should conduct risk assessments and regular audits through internal and external experts. These audits should be conducted systematically. Controllers should address any identified issues promptly before they become subject to enforcement actions.

Given the constantly evolving landscape of privacy regulations and protections, seeking advice from a knowledgeable attorney is crucial. At Whitcomb Selinsky PC, our Data Privacy and Cybersecurity attorneys can assist you with compliance inquiries before the rollout of the CPA this summer. In addition, we will compare your current data security and privacy practices with the CPA requirements, helping you to avoid violations. Access to personal data is easily attainable. Therefore, it is critical to secure any personal customer data your business acquires.

This blog will be regularly updated to reflect any changes in the rulemaking process of the Act.