Navigating and Complying with Colorado’s New Consumer Privacy Act

Michael Callahan

Share Post:

On July, 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA or “the Act”) into law. With that pen stroke, Colorado joined California and Virginia as the third state to enact comprehensive consumer privacy legislation. While the law does not take effect until July 1, 2023, Colorado businesses would do well to study up on the new law to ensure compliance when it does become active.

In some ways, the CPA goes further than the California and Virginia privacy statutes. The CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable person.”[1] Not only is that a broad definition, but it also applies to a wider range of businesses than the California and Virginia statutes.
 
For example, while all three statutes will apply to businesses that control and/or process the personal data of 100,000 or more consumers per year, the CPA also applies to businesses that control and/or process the personal data of 25,000 consumers per year and derive revenue or receive a discount on the price of goods/services from the sale of personal data. Unlike other statutes, the CPA has no revenue threshold for determining whether an entity is covered. Given how common it is for businesses to sell personal data, this added wrinkle means that the CPA’s effective threshold for applicability is controlling or processing the data of just 25,000 consumers.

In addition, while all three statutes provide similar consumer rights, like special protections for “sensitive” data like race, religion, and sexual orientation, the CPA also contains a user-selected universal opt-out mechanism. This mechanism gives Colorado residents the right to opt out of targeted advertising, the sale of their personal data, and specific types of user profiling (the practice of using automated processing of personal data to evaluate and predict personal aspects concerning an individual’s location, behavior, personal preferences, and even economic situation).

The CPA comes with exceptions and exemptions, of course. “Consumers” under the Act only include Colorado residents acting in their individual or household capacities. That means individuals acting in commercial or employment contexts are not covered. Buying a new smartphone? Covered. Applying for a job? Sorry, that data isn’t afforded the same protection. The Act also does not extend to publicly available information or information that has been de-identified (private data where personal identifiers have been removed). Finally, entities covered by Federal privacy laws, like HIPAA and FERPA, are mostly exempted from the CPA.

So, what does all of this mean for covered Colorado businesses? Well, for one, every covered entity should begin a review of their current cybersecurity practices to evaluate whether they will be able to keep up with the CPA’s new suite of consumer rights and regulatory rules beginning in July 2023. In addition, all covered entities ought to begin drafting up new processes by which consumers can contact them and submit requests regarding their personal data as well as a process by which consumers can appeal the covered entity’s decision regarding the use of that data. Privacy policies will universally require updates to include the notices required under the CPA regarding how and why the covered entity uses consumer data. Covered entities will also be required to obtain consumer consent when it comes to collection and processing of “sensitive” data. Finally, all covered entities should also begin the process of designing and implementing the CPA’s unique “universal opt-out” mechanism which becomes mandatory for all covered entities on July 1, 2024.

Colorado is at the forefront of protecting consumer data and privacy with the CPA. However, these protections invariably come with significant regulatory and compliance hurdles for Colorado businesses. The CPA is only one of three such laws in the United States, so there is not a whole wealth of compliance experience that covered entities to look to for guidance. It goes without saying, then, that the earlier  covered entities can start working on their compliance regime, the better!


[1] See Colo. Rev. Stat. § 6-1-1303

ABOUT THE AUTHOR

LAW CLERK

Michael joins Milgrom & Daskam as a law clerk, where he works in the litigation and intellectual property practice groups. During his time at CU Law, Michael has served as a volunteer with the Korey Wise Innocence Project as part of a small team advocating on behalf of wrongfully convicted individuals in Colorado. He also serves as vice president of the Student Animal Legal Defense Fund, where he has organized fundraisers and donation drives for local animal shelters. Before joining the firm as a law clerk, he worked as a constitutional law research assistant for the University and as a litigation intern at a small Denver law firm.

More Articles

Artificial Intelligence

Potential Issues and Liabilities of Using Generative AI for Legal Document Drafting 

In recent years, the legal industry has witnessed a significant transformation, with the integration of technology and artificial intelligence (AI) into various aspects of legal practice, and while it’s unlikely that AI will kill all the lawyers, one notable advancement is the use of large language models of generative AI to draft legal documents, even by non-lawyers. While this technology offers several advantages, such as increased efficiency and reduced costs, it also brings forth a host of potential issues and liabilities that both legal professionals and non-lawyers must carefully consider. In this article, we’ll explore these concerns and provide insights into mitigating associated risks.

Read More »
Business & Corporate Law

Oversold and Underwhelmed: Why the Ripple Decision Doesn’t Live Up to the Hype

If you follow the crypto space and read the headlines about the recent decision in SEC vs. Ripple Labs, Inc., you will be grossly disappointed by the delta between hype and reality. Crypto-promoters will tell you that Ripple “won,” that tokens are not securities, and that crypto can now go on to create the New Eden that will bring freedom and prosperity to everyone. Everyone except for the teeth-gnashing demons who work at the Securities and Exchange Commission, a.k.a. the Anti-Christ.

Read More »
Real Estate Law

Psychedelic Healing Centers in Colorado: Are Landlords Prepared?

In November 2022, Colorado voters approved Proposition 122, known as the Natural Medicine Health Act of 2022 (NMHA). This legislation decriminalized the personal use and possession of certain psychedelic substances, including psilocybin and psilocin mushrooms. Additionally, the NMHA established the legal foundation for healing centers – places where adults may consume and experience the effects of regulated natural medicines (such as mushrooms) under the supervision of licensed facilitators. Given the nascent stage of the psychedelic industry in Colorado, landlords and tenants to tread carefully in negotiating a commercial lease for space to be used as a healing center.

Read More »