Privacy, Technology and Perspective
Centennial State Chisels New Privacy Law — Colorado Privacy Act: Colorado is about to have a new consumer privacy law intended to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate” – the Colorado Privacy Act (“CPA”).
Overview: Those familiar with the privacy legislation of California and Virginia will find much in the CPA that resonates with one or both of those acts, including the CPA’s scope and exemptions, new consumer rights, new duties for data controllers and processors, and no private right of action.
Status: The Senate passed its version of the bill early in June. Now, the CPA is headed to the Governor, who is expected to sign it shortly.
Text: You can see the text of the Senate version by clicking the link below:
Effective Date: July 1, 2023.
Scope and Exemptions: The CPA will apply to all data controllers that (i) conduct business in Colorado or deliver products or services to Coloradoans, AND (ii) control or process personal data of 100,000 or Coloradoans during a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data. The term “data controller” means “persons that, alone or jointly with others, determine the purposes for and means of processing personal data.”
The CPA exempts data maintained for employment-record purposes. Further, it does not apply to Protected Health Information (“PHI”) regulated under the HIPAA Privacy Rule and other specific health-related information, as well as information regulated and authorized by the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GBLA”), the federal Driver’s Privacy Protection Act (“DPPA”), the Children’s Online Privacy Protection Act (“COPPA”), Family Educational Rights and Privacy Act (“FERPA”), and certain other specific laws.
Consumer Rights in Personal Data: The CPA gives consumers who reside in Colorado five key rights with respect to their personal data, including the rights to:
– Opt-out of processing for purposes of targeted advertising, the sale of personal data, or profiling that produces legal “or similarly significant effects;”
– Access their personal data held by a data controller;
– Correct inaccuracies in their personal data held by a controller;
– Delete their personal data; and
– Be provided with their personal data in a portable and ready-to-use format.
Controllers must respond to consumer rights requests without undue delay and within 45 days, provided they may have another 45 days when reasonably necessary. The CPA also provides for authentication and appeal.
Transparency and other Controller duties: The CPA contains a section imposing “duties on controllers.” These include:
– The duty of transparency: Controllers must provide consumers with privacy notices that are reasonably accessible and clear, specifying the categories of personal data collected, the purposes for which that personal data will be used, the categories of data shared with third parties and the categories of those third parties, and a conspicuous disclosure with respect to any sale of personal data or data processing for targeted advertising.
– The duty of purpose specification: Controllers must “specify the express purposes for which personal data are collected and processed.”
– The duty of data minimization: Controllers may not collect more personal data than is adequate, relevant, and reasonably necessary for the disclosed purpose, without the consumer’s consent.
– The duty to avoid secondary use: Controllers may not process personal data in a manner that is incompatible with the specified purposes for which the personal data are processed, absent the consumer’s prior consent.
– The duty of care: Controllers must secure personal data by taking “reasonable” measures. These data security practices aren’t specified, but they must be appropriate to the volume, scope and nature of the business and the data that is being processed.
– The duty to avoid unlawful discrimination: Controllers must not violate the law when processing personal data or discriminate against consumers.
– The duty regarding sensitive data: Controllers must not process sensitive data absent a consumer’s consent, or in the case of a child, the consent of the child’s parent or lawful guardian. Under the CPA, “sensitive data” means “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.”
In addition, the CPA requires a data protection impact assessment where there is a heightened risk of consumer harm, including in cases where personal data is processed for the purpose of targeted advertising or profiling that may have an unfair or deceptive impact on consumers, of that may result in financial or physical injury to consumers or a physical or other intrusion on the seclusion of consumers or other substantial injury. Such assessments “shall identify and weight the benefits…against the potential risks to the rights of [consumers], as mitigated by safeguards…”
Processor Responsibilities: Processing personal data must be governed by contract between the controller and the processor that sets out the instructions to the processors, including the nature and purpose of the processing, the type of personal data involved, and these requirements on the processor: (i) to delete or return the data to the controllers at the end of the provision of services; (ii) to make available all information necessary to demonstrate compliance with its obligations; and (iii) to allow for and contribute to “reasonable“ audits and inspections by the controller or its designated auditor at least annually. Specifically, processors must follow Controllers’ instructions, and:
– Take appropriate technical and organizational measures, insofar as that is possible, for the fulfillment of the controller’s obligation to respond to consumer rights requests;
– Help controllers meet their data security obligations; and
– Provide controllers with the information necessary to conduct and document data protection impact assessments;
Also, processors must ensure that those processing personal data are subject to a duty of confidentiality with respect to the data. Further, processors are restricted from engaging subcontractors, absent first providing controllers with notice and an opportunity to object.
No Private Right of Action: There is no private right of action. The Colorado Attorney General and local district attorneys will have exclusive enforcement authority over the CPA. A violation of the CPA may be enjoined, and otherwise will be enforced as a deceptive trade practice.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.