More and more states, such as California, Connecticut, Utah, and Virginia, are enacting data privacy laws. For companies that do business in, or collect information on or from individuals residing in, such states, it is imperative that such companies enact or update existing policies, procedures, and agreements that comply with data processing laws specific to the jurisdictions from which the information is collected. For companies doing business in Colorado, or collecting information from Colorado residents, that means complying with Colorado’s revised privacy act, appropriately named the “Colorado Privacy Act“ (C.R.S. 6-1-1301, et seq.), which is set to go into effect on July 1, 2023.
The Colorado Privacy Act’s (the “Act”) stated goal is to help empower Colorado consumers to protect their privacy by requiring companies that do business in Colorado, or collect data from Colorado consumers, to act as “responsible custodians” of such personal information. The Act states the updated framework is meant to respond to a belief that increases in technology and data collection, although helpful in driving innovation and bringing “beneficial technologies to society,” have also created new risks to individuals’ privacy and freedom. Accordingly, the Act, in large part, focuses on creating a framework that addresses the following:
(1) Provides consumers the right to access, correct, and delete personal data, and the right to opt out of, not only of the sale of personal data, but also of the collection and use of personal data;
(2) Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data; and
(3) Empowers the Colorado attorney general and district attorneys to access and evaluate a company’s data protection assessments, to impose penalties where violations occur, and to prevent future violations.
As mentioned, the Act’s new framework is set to take effect on July 1, 2023.
The Colorado Privacy Act defines “personal data” as information that is “linked or reasonably linkable to an identified or identifiable individual” and, in general, applies to businesses, referred to as “controllers,” that:
(1) conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado; and
(2) either (a) control or process the personal data of one hundred thousand (100,000) consumers or more during a calendar year or (b) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of twenty-five thousand (25,000) consumers or more.
The Act largely does not apply to information which is considered “de-identified data.” “De-identified data” is defined as “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual,” if the controller that possesses the data (1) takes reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and (3) contractually obligates any recipients of the information to comply with the requirements of the Act.
The Act also creates a number of carve outs for other specific types of information governed by other applicable laws, such as protected health information governed by HIPPA laws, credit information collected and maintained pursuant to the Fair Credit Reporting Act, or personal data collected pursuant to the Gramm-Leach-Bliley Act.
As noted, the Act provides Colorado consumers with a number of rights in regards to the collection and processing of their personal data, including:
- The right to opt out of (i) targeted advertising, (ii) the sale of their personal data, and (iii) profiling;
- The right to access their personal data and confirm whether a controller is processing their personal data;
- The right to correct inaccuracies in their personal data;
- The right to require a controller to delete personal data collected; and
- The right to obtain information regarding their personal data in portable form, up to two times per year.
The Act defines a “consumer” as “an individual who is a Colorado resident acting only in an individual or household context; the term “consumer” does not include “an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”
In connection with the rights granted to consumers, the Act places a number of obligations on companies who either control or process Colorado consumer personal data. The Act defines a “controller” as the person or entity who, “alone or jointly with others, determines the purposes for and means of processing personal data.” In other words, where consumer information is collected from a company’s website or other service, the company is considered the “controller.” In addition to other responsibilities, such as carrying out data processing assessments, the Act places various duties and responsibilities on controllers, including:
- A duty of transparency regarding the controller’s data processing practices;
- A duty of “purpose specification,” explaining the controller’s reasons for collecting and processing data;
- A duty of data minimization, limiting data processing to what is reasonably necessary to accomplish the controller’s stated data processing purposes;
- A duty to avoid secondary use of collected data;
- A duty of care;
- A duty to avoid unlawful discrimination in processing data; and
- A heightened duty when processing sensitive data, which may require a consumer’s prior consent in certain circumstances.
Likewise, the Act requires that controllers provide consumers with a clear and meaningful privacy notice or privacy policy that includes, at a minimum:
(1) The categories of personal data collected or processed by the controller or a processor;
(2) The purposes for which the categories of personal data are processed;
(3) How and where consumers may exercise their rights under the Act, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
(4) The categories of personal data that the controller shares with third parties, if any; and
(5) The categories of third parties, if any, with whom the controller shares personal data.
In connection with these responsibilities, the Act also requires controllers to provide consumers with additional notices upon the occurrence of certain events, such as when data is requested by a consumer or where a data breach occurs, or when the controller has a duty to inform consumers of their right to opt out of data collection. Likewise, the Act also requires controllers to implement and maintain internal plans and processes to respond to consumer requests for information and appeals.
Similar obligations are also placed on data processors. A “processor” is defined as a person or entity who “processes personal data on behalf of a controller.” Whether a company acts as a processor or controller requires a careful analysis of a company’s activities and role. Lastly, the Act also governs relationships between data processors and data controllers, including by requiring that certain contractual obligations be memorialized in writing between controllers, processors, and subcontractors. Although such requirements are outside the scope of this article, further information on data processing agreements can be found here.
Because failure to comply with the Act can result in legal action or penalties being brought or assessed against a non-compliant company, companies that collect, use, sell, store, disclose, analyze, delete, or otherwise modify or use Colorado consumer personal data should take steps to help ensure they are in compliance with the Act. Such actions may include, but are not limited to:
- Reviewing current internal business practices and policies to understand what data is collected from consumers and how it is used;
- Ensuring an updated privacy policy is in use and easily available to consumers;
- Ensuring additional notices regarding the company’s data processing practices are in place and made available to consumers, including opt-out notices, as applicable;
- Ensuring updated internal policies and mechanisms governing internal and third-party data handling are in place and are provided to relevant employees and contractors;
- Ensuring records are properly taken, and retained, documenting compliance with the Act’s requirements, such as with carrying out data processing assessments.
- Ensuring updated internal policies and mechanisms regarding consumer requests and notifications are in place and provided to relevant employees and contractors;
- Ensuring mechanisms are in place to prevent, and respond to, data breaches, and ensuring that mechanisms are in place to notify affected consumers; and
- Ensuring updated data processing contracts that meet the Act’s requirements are used when entering into relationships with third party processors, subcontractors, and controllers.