West Coast, East Coast, and Now Mountains, Too: Colorado Joins the Comprehensive State Privacy Law Club

After signing the CPA into law, Gov. Polis sent a letter to the Colorado General Assembly emphasizing that his “chief concern is ensuring Colorado's competitiveness with other states as an incubator of new technologies and innovations" and stating that the CPA "will require clean-up legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill." Additionally, Gov. Polis urged Colorado’s General Assembly to “strike the appropriate balance between consumer protection while not stifling innovation and Colorado's position as a top state to do business.”

Despite Gov. Polis’s indication that changes may be made to the CPA, businesses will need to begin thinking through their compliance obligations. Like the CPRA and the VCDPA, the CPA requires businesses to notify Colorado consumers about their data privacy rights and the processing of their personal information and provide them with choices over how that information is collected, used, and disclosed by businesses active in the state. Importantly, businesses must now also consider how the CPA differs from its counterparts as they work to implement programs for complying with the CPRA and VCDPA, which go into effect on January 1, 2023. While there is a high degree of similarity among the three laws, the CPA is arguably stricter than the VCDPA and more lenient than the CPRA. Key differences include requirements for contracts and privacy notices, applicable exemptions, required audits or assessments, and definitions of terms such as “sensitive information,” “publicly available information,” and “sale.” Significantly, the CPA disqualifies consent obtained through “dark patterns,” which it defines as user interfaces that can have the “effect of subverting or impairing user autonomy, decision making, or choice.”

Below, we discuss these differences and other key considerations for entities as they prepare to implement these three comprehensive state privacy laws.

Applicability and Definitions

The CPA applies to any "controller" that

• (a) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to Colorado consumers
• (b) either (1) controls or processes the personal data of at least 100,000 Colorado consumers in a calendar year or (2) derives revenue from, or receives a discount on a price or service from, the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers; unlike the CPRA, both the CPA and the VCDPA have no minimum revenue thresholds as a means by which an entity may be subject to the law

Notably, the CPA, CPRA, and VCDPA exclude entities that do not operate for profit — but do so in different fashions. Importantly, unlike with the CPRA and VCDPA, nonprofit organizations are not explicitly exempt under the CPA. The VCDPA excludes nonprofit entities, and the CPRA defines a business as an entity that operates “for profit or financial benefit.”

The CPA includes the following key definitions:

• Controllers and Processors: The CPA defines "controllers" as entities that determine what data to collect and what should be done with it and "processors" as entities that process personal data on a controller’s behalf. These terms are similar to those used to describe entities in the VCDPA. Using different terms, the CPRA’s definition of “business” is similar to that of controllers under the CPA and VCDPA, and CPRA’s definitions of “service providers” and “contractors” are similar to that of processors.
• Consumers: The CPA defines a “consumer” as “a Colorado resident acting only in an individual or household context” and exempts individuals acting for commercial or employment purposes. This aligns with the VCDPA, but the CPRA’s similar exemptions are set to expire in January 2023.
• Sale: The CPA defines “sale of personal information” as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party,” which aligns with the CPRA’s definition of a sale. By contrast, the VCDPA defines a sale as data solely being exchanged for monetary consideration.

Exemptions

The CPA, like the CPRA and VCDPA, exempts certain categories of data, including data that is deidentified. The CPA has entitywide exemptions for financial institutions and affiliates subject to the Gramm-Leach-Bliley Act (GLBA) as well as state institutions for higher education. Notably, the CPA exempts data “created by a covered entity for the purposes of complying with HIPAA” but does not have an entitywide exemption for Health Insurance Portability and Accountability Act (HIPAA)-regulated entities.

Both the VCDPA and CPRA exempt entities regulated by HIPAA. The CPRA has fewer entitywide exemptions, exempting only entities regulated by HIPAA or the California Confidentiality of Medical Information Act. Meanwhile, the VCDPA exempts entities regulated by HIPAA and the Health Information Technology for Economic Clinical Health Act, financial institutions subject to GLBA, nonprofits, and certain higher education institutions.

The CPA contains a notable exemption for data maintained by public utilities so long as it is collected, maintained, disclosed, sold, communicated, or used “except as authorized” by state and federal law. Entities that qualify as a public utility under Colorado law should assess whether the CPA will apply to them. These entities include “every common carrier, pipeline corporation, gas corporation, electrical corporation, telephone corporation, water corporation, person, or municipality operating for the purpose of supplying the public for domestic, mechanical, or public uses and every corporation, or person declared by law to be affected with a public interest.” (Colorado Revised Statutes Section 40-1-103 (1)(a)(I).)

Consumer Rights

The CPA offers consumers the following rights: (1) access, (2) correction, (3) deletion, (4) data portability, and (5) the ability to opt out of the processing of personal information for purposes of targeted advertising, sale of personal data, or profiling. The CPRA and VCDPA also provide rights to consumers. We outline these individual rights in the table below.

While the CPRA does not have an express right to opt out of profiling, the law states that regulations will be issued “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling,” indicating a particular focus on further developing this subject.

The CPA provides consumers with the right to appeal a controller’s denial to respond to a consumer request within a reasonable time period. The business must respond to a request within 45 days, and if it does not, controllers must establish an appeal process to review that decision. This is similar to the process outlined in the VCDPA. The CPRA also requires businesses to respond within 45 days of a consumer request but does not require an appeal process to be established.

As indicated in the above chart, the CPA follows the VCDPA in mandating explicit, opt-in consent for the processing of sensitive personal data. The CPA defines sensitive personal data as information reasonably linkable to an identifiable individual that reveals “racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual relationship, or citizenship or citizenship status” or “genetic or biometric data that may be processor for the purpose of uniquely identifying an individual” or personal data from a “known child.” The consent must be “freely given, specific, informed, and unambiguous,” either by written statement or by an affirmative act through a web page, application, or similar method and cannot be obtained through “dark patterns,” which as noted above are defined in the CPA as user interfaces that can have the “effect of subverting or impairing user autonomy, decision making, or choice.”

Dark patterns have recently become a relatively significant topic in privacy considerations. The requirement to obtain explicit, opt-in consent when processing sensitive data, coupled with the anti-dark-patterns language, goes beyond the requirements set forth in the CPRA (opt-out standard) and the VCDPA (no dark patterns requirements).

As has been the trend, the rights afforded to consumers continue to be slightly different among states. These disparities require close analysis by entities in scope of multiple laws to ensure that they have a plan to implement and meet the unique requirements of each law, from notifying of rights to receiving requests, assessing a response, and responding to a request.

Obligations of the Controller

The CPA obligations for businesses are similar to those of the CPRA and the VCDPA. Specifically, under the CPA, businesses have the following obligations:

1. duty of transparency to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that lays out purpose of data processing and the information collected and shared
2. duty of purpose specification for which data is being collected and processed
3. duty of data minimization
4. duty to avoid secondary use such that data is not used for purposes for which it was processed without proper consent
5. duty of care regarding the maintenance of the personal data being processed
6. duty to avoid unlawful discrimination in violation of state and federal laws
7. duty regarding sensitive data, which requires explicit consent before processing
8. data protection assessments to analyze the risk that controllers take when processing personal information
9. data processing contracts between the controller and the processor

Implementing Regulations

The CPRA and CPA mandate regulations to implement certain sections of these laws. The CPRA regulations must be finalized by July 1, 2022, giving entities one year before enforcement of the CPRA will commence. The VCDPA does not expressly call for regulations, and it is unknown whether the Virginia Attorney General will issue any. The CPA mandates that by July 1, 2023, the Colorado Attorney General must adopt regulations addressing the specifics of universal opt-out signals to the sale and sharing of personal information. The requirement to accept these universal opt-out signals, however, does not go into effect until July 1, 2024. Thus, from January 1, 2023, through January 1, 2024, controllers may accept such a universal opt-out mechanism for opt-outs from targeted advertising or the sale of personal data, but from January 1, 2024, onward they must accept it. The CPA also provides the Attorney General with discretion to promulgate additional regulations for the purpose of carrying out the statute, including, if it so chooses, adopting by July 1, 2025, regulations that establish a defense for entities acting in good faith where their actions would otherwise constitute a violation of the CPA.

Due to the pending CPA and CPRA regulations, entities will need to be both proactive and flexible in their compliance approach. Waiting until the regulations are finalized will likely be too late to comfortably move through a compliance plan, but plans that are implemented leading up to the regulations will undoubtedly be affected by the regulations when they are issued. Some likely effects include the ability to align notice terms, creation of internal practices, and potentially the overall approach to compliance, as the later-in-time addition of particular requirements may change the ability to easily align similarly situated requirements.

Enforcement

One of the key differences among the three laws relates to enforcement. Only the CPRA provides for a private right of action, which is limited to consumers whose nonencrypted and nonredacted personal information or account access information is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Consumers may recover injunctive or declarative relief and damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. Colorado and Virginia do not grant a private right of action, but both laws provide for regulatory enforcement.

A further important distinction is their treatment of the ability to cure a violation of law. Once an action is initiated under the CPA, the Colorado Attorney General or District Attorney must provide notice to the controller, who then has 60 days to cure the violation. The cure period under the VCDPA and the CPRA is limited to 30 days, with CPRA cure applying only to data breaches and not to those where the consumer is solely seeking actual pecuniary damages arising from violations of the CPRA. Moreover, unlike the CPRA and VCDPA, the right to cure under the CPA sunsets and is effective only until January 1, 2025.

A breakdown of the enforcement provisions of each of the three laws is below.

Looking Forward

While we are focused on these specific laws as they currently stand, it is also important to recognize that there may be important changes to how these laws will be interpreted and implemented, due both to impending regulations and to the potential for amendments to be proposed and passed during the 2022 legislative sessions.

As compliance programs will take time to create or update, entities should begin to assess their obligations and formulate a plan that takes into account each law and their potential further evolution.