The Colorado Privacy Act (CPA) emerges as a groundbreaking response to safeguarding individual privacy, aimed at fortifying data protection and privacy rights for residents of the Centennial State. The CPA, which was signed into law in July 2021, officially came into effect on July 1, 2023, marking a significant milestone in Colorado’s data privacy landscape. With its enactment, Colorado joins the ranks of states that have enacted comprehensive privacy legislation, aligning itself with similar data privacy laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
What is the difference between a Data Controller and a Data Processor?
Under the CPA, there is a clear distinction between two key roles: the Data Controller and the Data Processor. These roles are fundamental to understanding how personal data is managed and processed under the law. Let’s explore the key differences between them:
Primary responsibility: The Data Controller is the entity or organization that determines the purposes and means of processing personal data. In simpler terms, they are the ones in charge of deciding why and how personal data is collected and processed.
Obligations: Data Controllers have a set of direct responsibilities under the CPA, including providing consumers with privacy notices, responding to consumer requests regarding their data rights, conducting data protection assessments, and ensuring compliance with the law.
Liability: Data Controllers bear a significant portion of legal responsibility for data processing activities. If there are violations of the CPA, it is typically the Data Controller who will face legal consequences and penalties.
Examples: In the context of the CPA, a Data Controller could be a company that collects and processes personal data for marketing purposes, an online retailer that stores customer information, or an employer that manages employee data.
Role: The Data Processor, on the other hand, is an entity or organization that processes personal data on behalf of the Data Controller. They do not determine the purposes or means of data processing; instead, they carry out processing activities as directed by the Data Controller.
Limited autonomy: Data Processors do not have the autonomy to decide how personal data is used. They must follow the instructions provided by the Data Controller and ensure that the data is processed in accordance with the CPA.
Obligations: While Data Processors have certain responsibilities to ensure the security and proper handling of personal data, they do not have the same level of direct obligations as Data Controllers. However, they are still required to cooperate with Data Controllers to facilitate compliance with the CPA.
Examples: A third-party cloud service provider that hosts a company’s customer database, a payment processing company that handles transactions on behalf of an online retailer, or a marketing agency that sends promotional emails for a business are all examples of Data Processors under the CPA.
How do consumers exercise their rights under the CPA?
Consumers in Colorado have several rights under the Colorado Privacy Act to control and protect their personal data. They can follow a specific process outlined in the CPA to exercise these rights.
Understand your rights
First, consumers should familiarize themselves with their rights under the CPA. These rights include the right to access personal data, correct inaccuracies, delete personal data, and opt out of the sale of personal data. Understanding these rights is crucial before proceeding.
Identify the Data Controller
Determine which organization or entity is the Data Controller responsible for your personal data. This could be a business, employer, or any entity that collects and processes your data. The CPA requires Data Controllers to provide contact information in their privacy notices.
Contact the Data Controller
Once you’ve identified the Data Controller, you can contact them to exercise your rights. Typically, this contact information can be found in their privacy notice. You may choose to contact them through methods such as email, a dedicated web portal, or a designated privacy request form.
Request access to your data
If you want to access your personal data, send a formal request to the Data Controller. Specify the information you want to access and provide sufficient details to help them locate your data. The Data Controller should respond within a reasonable timeframe, usually within 45 days.
If you believe there are inaccuracies in your personal data, notify the Data Controller. Describe the inaccuracies and provide corrected information if applicable. Data Controllers are required to rectify inaccuracies promptly.
To have your personal data deleted, submit a deletion request to the Data Controller. Ensure you specify which data you want deleted and provide enough information for them to identify your data. The Data Controller must comply with your request unless there are legal grounds for retaining the data.
Opt-out of data sale
If you wish to opt out of the sale of your personal data, communicate your preference to the Data Controller. They are obligated to respect your choice and cease the sale of your data. The CPA also prohibits discrimination against consumers who exercise this right.
It’s advisable to keep records of your communication with the Data Controller, including the date and details of your requests. This documentation can be valuable if any disputes arise.
Seek legal recourse
If you believe that your rights under the CPA are not being honored or encounter difficulties in exercising your rights, you can seek legal recourse. The CPA provides a private right of action, allowing you to take legal action against non-compliant Data Controllers.
Contact the Colorado Attorney General
In cases of non-compliance with the CPA, you can also contact the Colorado Attorney General’s Office, which has the authority to enforce the law and investigate violations.
Who does the CPA exclude?
The Colorado Privacy Act (CPA) is a comprehensive privacy law designed to protect the personal data of Colorado residents. However, specific exclusions outlined in the CPA determine which entities and data processing activities are not subject to its regulations. These exclusions are important to understand to ensure compliance with the law.
The CPA does not apply to organizations or data processing activities that are already regulated by federal laws that provide individuals with privacy rights. For instance, healthcare providers handling protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) are not subject to the CPA for their HIPAA-covered activities. This exclusion acknowledges the existing federal framework for such data.
Exempt non-profit organizations
Certain non-profit organizations are exempt from the CPA’s requirements. This exclusion applies to non-profit organizations that are exempt from taxation under Section 501(c)(3) of the Internal Revenue Code and specific categories of non-profit entities. The aim is to prevent unnecessary regulatory burdens on charitable and non-profit organizations.
Data processed in the employment context, such as personal data collected from job applicants, employees, or contractors, is subject to certain exemptions. The CPA recognizes that employment-related data is often governed by separate employment or labor-related laws and regulations. This exemption respects the existing legal framework for employment data.
The CPA excludes de-identified data from its provisions. De-identified data is information that has been stripped of personally identifiable details and cannot be used to identify an otherwise identified or identifiable individual. It no longer poses privacy risks in its anonymized form, so it is exempt from the CPA’s requirements.
Data collected as part of a transaction
Personal data collected and processed as part of a transaction where the consumer is acting as an employee, owner, director, officer, or contractor of a business entity is exempt from the CPA. This exemption primarily addresses business-to-business transactions where the consumer’s role is related to their business activities.
If a consumer provides informed, explicit, and unambiguous consent to a specific data processing activity, that activity may be exempt from certain CPA requirements. However, this exemption is limited to the extent specified in the consumer’s consent and is subject to the conditions set forth in the CPA.
While these exclusions under the Colorado Privacy Act clarify certain situations where the CPA does not apply, organizations should remain vigilant about other relevant privacy laws and regulations at the state and federal levels that may still govern their data processing activities.
Who must comply with the CPA?
The CPA imposes specific obligations and responsibilities on certain entities and organizations that process personal data. To determine who must comply with the CPA, it is essential to understand the criteria and thresholds set forth in the law. Some of the key factors that determine which entities are subject to compliance with the CPA are:
Entities that process personal data: The CPA applies to entities that process personal data. Personal data is broadly defined and encompasses a wide range of information that can be linked to or reasonably identifiable to an individual or household. This includes names, email addresses, physical addresses, biometric data, and more.
Entities that conduct business in Colorado: The CPA applies to businesses that conduct activities in the state of Colorado. This means that if an entity operates within Colorado, serves Colorado residents, or intentionally targets Colorado consumers with its products or services, the entity falls under the jurisdiction of the CPA.
Entities that process personal data for commercial purposes: The CPA primarily regulates personal data processing for commercial purposes. Therefore, businesses that collect, use, or share personal data as part of their commercial activities are subject to compliance with the CPA. This includes businesses that sell products or services to consumers.
Entities that process personal data in a commercial or employment context: The CPA covers personal data processing in both commercial and employment contexts. This means that businesses and employers that collect and process employee data must adhere to the CPA’s provisions related to employment-related data.
Entities that process personal data for profit or derive revenue: Entities that process personal data for profit or revenue generation, directly or indirectly, are within the scope of the CPA. This includes businesses that use consumer data for targeted advertising, analytics, or other revenue-generating activities.
Entities that handle sensitive data: The CPA places a special emphasis on sensitive data, which includes information such as racial or ethnic origin, religious beliefs, sexual orientation, health conditions, genetic data, and more. Entities that process sensitive data must comply with additional requirements and safeguards outlined in the CPA.
A comparison of the data privacy laws in Colorado, Virginia, and California
Several U.S. states have taken proactive steps to enact comprehensive data privacy laws. Colorado, Virginia, and California stand out as pioneers in this regard, each introducing its own legislation to protect residents’ privacy rights.
Colorado Privacy Act (CPA)
Effective date: The CPA was signed into law in July 2021 and became effective on July 1, 2023.
Scope: Applies to entities that process personal data and conduct business in Colorado, with a focus on commercial and employment contexts.
Consumer rights: Provides consumers with rights such as access to their data, correction of inaccuracies, deletion of data, and the ability to opt out of data sales.
Sensitive data: Includes provisions for sensitive data, with stricter requirements for its processing.
Enforcement: Allows for both private right of action by individuals and enforcement by the Colorado Attorney General.
Virginia Consumer Data Protection Act (VCDPA)
Effective date: The CDPA was signed into law in March 2021 and is set to become effective on January 1, 2023.
Scope: Applies to entities that process personal data and conduct business in Virginia, regardless of their location.
Consumer rights: Provides consumers with rights to access, correct, delete, and opt out of the sale of their data.
Sensitive data: Includes provisions for sensitive data, but the requirements are generally less stringent than in Colorado.
Enforcement: Allows for the Virginia Attorney General enforcement, with no private right of action.
California Privacy Rights Act (CPRA)
Effective date: The CPRA was approved by California voters in November 2020 and is set to become effective in stages, with full implementation expected by 2023.
Scope: Builds upon the California Consumer Privacy Act (CCPA) and applies to a broader range of entities, including those buying and selling data.
Consumer rights: Expands and strengthens consumer rights established under the CCPA, including enhanced opt-out mechanisms and the right to limit the use of sensitive data.
Sensitive data: Introduces additional protections for sensitive data, aligning it more closely with Colorado’s approach.
Enforcement: Maintains enforcement by the California Attorney General, with a new dedicated agency, the California Privacy Protection Agency (CPPA), overseeing implementation and enforcement.
The Colorado Privacy Act is a significant milestone in data privacy laws, designed to protect the personal data of Colorado residents. It establishes a framework for businesses to handle personal data responsibly and ethically, with an emphasis on transparency, consumer rights, and data protection assessments. As the Centennial State continues to adapt to the digital age, the CPA serves as a beacon of comprehensive privacy legislation, ensuring that the rights and privacy of its residents are safeguarded in the face of heightened data processing risks.