Colorado Privacy Act (CPA): New Obligations for Businesses Processing Consumer Data

On July 1, Colorado will join four other states as its comprehensive privacy law, the Colorado Privacy Act (CPA), goes into full effect. The CPA imposes significant new obligations for businesses and nonprofit organizations that come under its umbrella, as well as the possibility of substantial fines for lack of compliance. All companies should assess whether they are subject to the Colorado Privacy Act and, if so, what they need to do to make sure their data program is compliant.

READ: The FTC Safeguards Rule — Why Your Business Needs to Improve Cyber Security in 2023

Who must comply

The Colorado Privacy Act is intended to target businesses that traffic in large amounts of personal data. The CPA applies to any business or nonprofit that (1) “processes” (defined as collecting, using, selling, storing, disclosing, analyzing, deleting, or modifying) data for 100,000 or more Colorado residents annually or (2) benefits from selling data and processes data for 25,000 or more Colorado residents. As a result, any business with a database containing the requisite number of Colorado residents will likely be subject to the CPA.  

What companies must do

The Colorado Privacy Act applies to the personal data (defined as data that is linked or reasonably linkable to an individual) of Colorado consumers. The CPA provides consumers with a host of new rights, including the right to access, correct and in some cases delete their data held by a company.

The Colorado Privacy Act also provides consumers with the right to obtain a copy of their data and the right to opt out of certain uses of their data, including the right to opt-out of the sale of their data or using their data for “profiling.” The CPA further requires companies to obtain consent from consumers before they begin processing certain types of data that are highly sensitive. The CPA requires that businesses create a system to respond to consumer requests within 45 days.  

The Colorado Privacy Act mandates that subject businesses limit their collection and use of personal data to that which is reasonably necessary and compatible with the purpose disclosed to consumers and obtain consent from the consumers before processing personal data for a purpose not originally disclosed. This means that most subject businesses will need to review their privacy policies to ensure they are sufficiently disclosing all data being collected and how that data is used. Further, to the extent a subject business transfers any personal data to a vendor or other third party, the CPA mandates the agreement obligates that vendor to also comply with the CPA.

Finally, the Colorado Privacy Act mandates that businesses maintain reasonable measures to keep personal data confidential. This mandate is accompanied by a requirement that entities conduct periodic data protection assessments to evaluate risks associated with certain processing activities and document the assessments.

READ: How to Minimize Cybersecurity Risks and Balance Customer Friction for your Online Business

Potential ramifications

The ramifications for violating the Colorado Privacy Act are significant, with each violation (measured per consumer and per transaction) punishable by civil penalties up to $20,000.

How to prepare

The Colorado Privacy Act goes into effect on July 1 but has a one-year lookback period, meaning that businesses that are subject need to implement a compliance program as soon as possible. Businesses should consider the following when preparing to comply:

Know what data you have and where it resides.

Understand what data you maintain on consumers and where that data is located.

READ: Unlocking the Power of Data for Small Businesses — How Data Implementation Drives Business Growth and Success

Assess the necessity of each category of data.

Assess whether each type of data collected is truly necessary to accomplish your organization’s goals and ditch any data that is extraneous or no longer useful.  

Assess and adjust the security measures in place.

Ensure that the appropriate security is in place for each type of data.

Document your efforts to assess your data.

Ensure your efforts to assess your data and security measures, as well as the reasoning behind any decisions, is well-documented.

Update your privacy policy.

Make sure your privacy policy is transparent as to how you are using the data and is easy to understand.

Update your vendor agreements.

Review your vendor agreements to ensure vendors are obligated to comply with the CPA and submit to audit.

Put in place a process for responding to consumer requests and obtaining consent.

Once consumers learn of their new rights, they will begin sending in requests to exercise them. Without a process in place, these requests will quickly become unmanageable.

Ensure that all relevant employees are trained on the privacy program.

Otherwise, the procedures are nothing more than words on paper.

The bottom line

Given the ever-evolving nature of privacy laws and regulations, companies that process consumer data need to make sure their privacy programs are up to date to ensure they do not find themselves in a stand-off with regulators.  One of the best ways to protect against compliance issues is to speak with counsel experienced in data privacy issues.

Jessica Arett practices in the litigation group in Sherman & Howard in Denver. She is one of the few Colorado lawyers who is certified as a privacy professional through the International Association of Privacy Professionals. She advises businesses and non-profit organizations on issues related to privacy and data security, including working closely with clients to ensure compliance with the most recent data security laws and regulations. She has experience handling data security issues in the education, health care, public utility, and financial space.