Issue in Brief: Colorado is the third state to pass comprehensive consumer privacy legislation—the second in 2021—following the Virginia Consumer Data Protection Act (CDPA), which was signed into law earlier this year, and the California Consumer Privacy Act (CCPA), which passed in 2018.
On the Horizon: The Colorado Privacy Act largely tracks the prior state consumer privacy laws, requiring covered businesses to observe transparency requirements, honor consumer requests, and implement security controls to protect personal data. As a slight divergence, however, the CPA requires covered business to observe stricter consent requirements, implement “single-click” opt-out requests and readily-available appeals processes associated with consumer requests, and conduct—in certain instances—data protection impact assessments.
Key Takeaways: The CPA comes into effect on July 1, 2023, along with implementing regulations that the Colorado attorney general is required to develop. Businesses covered by the CPA should begin aligning their privacy programs and practices with the CPA, including the development of the more unique aspects of the law like the “single-click” opt-out mechanism and the readily-available appeals process.
CPA Scope & Key Definitions
On July 7, 2021 Colorado Governor Jared Polis signed the CPA into law, which is set to take effect on July 1, 2023.
The CPA largely tracks the prior state privacy legislation, the CCPA and the CDPA, but also borrows elements from Europe’s General Data Protection Regulation (GDPR). Similar obligations include transparency requirements, honoring consumer requests, observance of data minimization principles, implementing data security efforts, and adhering to vendor management requirements.
In addition to the commonly shared obligations with the CCPA and CDPA, such as transparency requirements and a short list of explicit consumer rights, the CPA has some unique and nuanced differences in scope, including:
Novel CPA Requirements & Obligations
Similarly, the CPA also creates unique (for US state consumer privacy) requirements, including:
Entity & Data Category Exemptions
The CPA includes certain exemptions, either by entity or by data set:
Exempt Entities. Principally, the CPA exempts financial institutions subject to the Gramm-Leach-Bliley Act.
Exempt Data Categories. The CPA further excludes protected health information and de-identified information under HIPAA information, data collected through certain activities of consumer reporting agencies, and data maintained for employment purposes, as well as data regulated by other laws, such as the Children’s Online Privacy Protection Act (COPPA)
CPA Enforcement & Penalties
A violation of the CPA constitutes a deceptive trade practice, and noncompliant businesses can be fined up to $20,000 per violation, with no cap on the overall fine amount. The CPA, however, does not provide for a private right of action. Rather, it is enforced by the attorney general or a district attorney.
Upon an enforcement action, the relevant office must provide notice to the business, after which time the business will have 60 days to cure the violation. This provision, though, is set to expire January 1, 2025, after which businesses in violation of the CPA will not have an automatic right to cure before a proceeding commences.
Businesses complying with the CPA as a first instance or even businesses already subject to other privacy frameworks but need to update its program to comply with the CPA, critical steps should include:
- Data Mapping and Inventory Practices. Identifying the personal data a business collects is a critical and important step to compliance. This often includes identification of data elements, the purpose of the collection, storage locations, retention periods, and access rights to the data, including transfers to third parties.
- Developing Formal Processes and Procedures. Such procedures and processes include timely observing consumer requests, ensuring defensible collection of consumer consent where necessary, implementing data protection impact assessment processes, establishing the newly created appeals process, protecting personal data, and—as necessary—establishing a universal opt-out mechanism.
- Creating a Third-Party Management Program. This process involves diligence around contracting requirements for third parties that a business may use to process personal data, as well as tracking the sale or transfer of personal data to third parties.
For more information, please contact the Baker Botts Privacy and Data Security Team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the technology, energy, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.