After California and Virginia laws, Colorado Privacy Act 2021 is the third consumer data protection act from the US. It is likely to come into effect on July 1, 2023.

What is Colorado Privacy Act 2021?

On June 8, 2021, the Colorado Senate voted for the House amendments to the Privacy Act bill. Once signed by the Governor, it will become the third state-wide data privacy law from the US after California’s CCPA and Virginia’s CDPA laws.

Like its other counterparts, the Act protects the personal data of Colorado residents, referred to as consumers in the Act. Personal data is any information that is linked or reasonably linkable to an identified or identifiable individual. It excludes de-identified data or publicly available information.

The Act applies to organizations that do business in Colorado or produce or deliver commercial products or services to Colorado residents and meets one of the following criteria: 

  • Controls or processes the personal data of 100,000 or more consumers in a calendar year; or 
  • Earns or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of over 25,000 consumers. 

The Act exempts organizations and personal data processed under federal law, including protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the GLBA, information regulated by the FCRA, COPPA, and FERPA, and information regulated by the Driver’s Privacy Protection Act of 1994. The Act also exempts data processed for employment records purposes.

Read the full text of the Colorado Privacy Act here.

Controllers and Processors

A controller is an entity that alone or jointly with others determines the purposes and means of processing personal data. A processor is an entity that processes personal data on behalf of a controller. Controllers bear most responsibilities under the Act. They must cooperate and follow the instructions of the controller and assist them to comply with the Act. Roles of a processor include:

  • taking appropriate technical and organizational measures to help controllers respond to consumers’ requests to exercise their rights, 
  • providing assistance to controllers for the security of processing personal data and data breach notifications, and
  • providing information to controllers to conduct and document data protection assessments.

Rights of consumers

Like other US privacy laws, the CPA also grants some rights to the consumers. They can exercise it by submitting a request using the methods specified in the privacy notice of the organization. The method to exercise the right must be user-friendly, secure, and reliable, without needing to create a new or separate account. The controller must be able to authenticate the identity of the consumer making the request. A consumer may submit a request at any time to a controller.

These are the consumer rights under the Act:

Right to opt out

A consumer can opt out of the following types of processing:

(a) targeted advertising;

(b) the sale of personal data; or

(c) consumer profiling

The consumers should be able to opt out using an explicit method that indicates their intent to opt out, such as a web link, browser setting, browser extension, or global device setting. The controller should provide a clear and conspicuous method for opt-out of the processing of personal data and this method must be mentioned in any privacy notice required to be provided to consumers. The privacy notice must be readily accessible.

The technical specifications for the universal opt-out methods will be established by the Colorado attorney general, effective July 1, 2024.

The consumer must be able to consent to processing of data through a web page, application, or a similar method for targeted advertising or the sale of personal data. Before obtaining consent, the controller shall provide the consumer with a clear and conspicuous notice informing about the various opt-in and opt-out choices available, explaining the categories of personal data to be processed and their purposes. It should also explain how and where the consumer can withdraw consent. 

Right of access

This right allows the consumers to confirm whether a controller is processing their personal data and to access the personal data.

Right to correction

Under this, the consumers can request the controller to correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing.

Right to deletion

Consumers have the right to request to delete their personal data.

Right to data portability

While accessing the personal data, a consumer has the right to obtain the personal data in a portable and, if technically feasible, readily usable format to easily transfer the data to another controller. 

Consumers can exercise this right a maximum of two times during a calendar year.

The controllers must respond to consumer requests, the action taken on the requests, and the reason for the delay, if any, within 45 days of the request. The 45-day period can be extended by another 45 days owing to the complexity and number of the requests.

A consumer must be provided the ability to appeal any denials of a request.

The controllers cannot charge a fee for a consumer request unless it is the second or subsequent request within 12 months.

Duties of controllers

Under the Colorado Privacy Act, data controllers have many responsibilities. Let us look at them in detail.

Duty of transparency

The Act requires the controller to be transparent about data processing activities and it recommends a privacy notice to showcase that. The privacy notice must be readily accessible, clear, and meaningful and includes: 

  • the categories of personal data collected or processed 
  • the purposes for processing the personal data
  • how and where consumers may exercise their rights, including the controller’s contact information and how a consumer can appeal the controller’s action on the consumer’s request
  • the categories of personal data that the controller shares with third parties 
  • the categories of third parties, if any
  • disclose the sale or processing of personal data in a clear and conspicuous manner, as well as how a consumer can opt out of the sale or processing. 

Duty of purpose specification

The controller must specify the exact purpose of processing the personal data. 

Duty of data minimization

The personal data collected must be adequate, relevant, and limited for the purpose of processing for which it was collected.

Duty to avoid secondary use

The controller cannot process the personal data collected for any purpose other than the specified purpose without the consumer’s consent.

Duty of care

The controller should take measures to secure personal data during its storage and use from any unauthorized access. The security practices must be appropriate following the volume, scope, and nature of the personal data and the nature of the business. 

Duty to avoid unlawful discrimination

The controller should not process personal data in violation of state or federal laws that will result in unlawful discrimination against consumers.

Duty regarding sensitive data

The controller must get consumer consent before processing their sensitive data, and in the case of the personal data of minors, parental consent is necessary.

Data Protection Assessments (DPA)

If processing personal data presents a heightened risk of harm to the consumers, the controllers must conduct and document the data protection assessment of the processing activities.

Data protection assessments must identify and analyze the possible consequences of processing the personal data and its impact on the controller, the consumer, other stakeholders, and the public and identify the potential risks to the consumer’s rights. DPAs will help in taking measures to mitigate the risks. 

The controller should make the data protection assessment available to the attorney general upon request, who will analyze the data protection assessment for compliance with the Act.

Enforcement and penalties

The Colorado Privacy Act is enforced by the attorney general or district attorney. If the controller violates the law, they can issue a notice of violation to the controller to rectify it. If the controller fails to do it within 60 days after receipt of the notice, the attorney can take action. The cure period is effective till January 1, 2025. 

How to prepare your business for the Colorado Privacy Act?

The US consumer data protection acts are similar to the EU’s General Data Protection Regulation (GDPR) when it comes to compliance.

To comply your website with the Colorado Privacy Act, follow the below steps:

  • Do not collect or process personal data for any secondary use other than what is specified.
  • Do not collect personal data more than required.
  • Get consent from visitors for collecting, process and selling personal data.
  • Add privacy notice that discloses information such as type of data you collect; the purpose of processing them; type of third parties to whom you share the personal data; how to opt out of sale or processing; how and where to exercise their rights; and contact information.
  • Get web links or universal opt-out mechanisms for the sale or processing of personal data.
  • Give an easy and user-friendly option to revoke consent at any time.
  • Implement a system to verify consumer rights requests and respond to them in due time.
  • Safeguard personal data against unlawful access.
  • Conduct periodical data protection assessment to identify and mitigate risks in processing personal data.
  • Always be aware of any shortfalls and rectify any mistakes within the cure period to avoid fines.

And when it comes to cookies on your website, CookieYes is the best solution. A simple and seamless cookie consent tool to get consent from users and block third-party cookie scripts prior to consent.

CookieYes features and CTA for Colorado Privacy Act