This article is a summary of the upcoming Colorado Privacy Act and its potential impacts on Colorado businesses and business owners.
The CPA applies to entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either (a) control or process the personal data of 100,000 or more consumers during a given year, or (b) control or process the personal data of 25,000 or more consumers and derive revenue or realize discounts from the sale of personal data.
There is no monetary threshold for applicable entities, meaning the CPA applies to all sizes of companies, so long as the company meets the above criteria.
For purposes of the CPA, “consumer” means Colorado residents acting in their individual or household contexts. It does not include Colorado residents acting in a commercial or employment context. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable individual but does not include publicly available information.
Yes. The CPA does not apply to certain types of entities and data sets that are otherwise regulated by other bodies of law, such as financial institutions and certain types of healthcare-related data. Businesses that are already subject to federal privacy laws should review those laws’ exemptions to see if any apply.
New consumer rights include the right to opt out of the processing of personal data for targeted advertising or for the sale of such personal data. The CPA provides for applicable companies to have a universal opt-out mechanism, which such companies may implement once the CPA goes into effect on July 1, 2023.
Beginning July 1, 2024, the opt-out mechanism will be mandatory. The CPA lacks clear guidance regarding the expectations for the opt-out mechanism, but the Colorado Attorney General will promulgate rules detailing the requisite technical specifications by July 1, 2023. The user-friendly mechanism must allow consumers to freely and unambiguously choose to opt out, and such a mere default opt-out setting will be insufficient.
Consumers will also be afforded the right to access certain personal data (and to obtain it in a portable, readily usable format) and with the rights to correct inaccuracies and to delete personal data concerning them. Once a consumer submits a request to access, correct, delete or provide personal data, the receiving entity must respond to the consumer’s request within 45 days of receiving it. Consumers will have the right to appeal an entity’s decision once rendered.
To comply with the CPA, businesses will need to:
The CPA distinguishes certain types of personal data as sensitive data and places additional requirements around the processing of such data. The CPA defines sensitive data as any personal data that reveals:
Kevin Tibolt is a business attorney at Minor at Brown, PC whose passion for serving others guides his every move as an advisor, strategist and team member. Kevin relishes the role of outside general counsel to his clients, where he can gain a holistic understanding of his clients and their businesses. His practice includes forming businesses, corporate governance, mergers and acquisitions, debt and equity financings and commercial contracting. [email protected] direct dial number 303-376-6051