How Nonprofits Can Meet Colorado's Privacy Act (CPA) Requirements

The Colorado Privacy Act, or CPA, is the third data privacy regulation passed in the United States, which regulates the way organizations obtain, process, use, store, and share personal information. Effective since July 1, 2023, the Colorado Privacy Act stands out through its inclusion of nonprofit organizations, as opposed to other US privacy laws, such as California, Utah, Virginia, or Connecticut, all of whom exclude nonprofit organizations from compliance. 

In terms of applicability, the Colorado Privacy Act regulation applies to any controller, including nonprofits, that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either controls or processes the personal data of 100,000 consumers or more during a calendar year, or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”

Unlike the California Consumer Privacy Act (CCPA), or Virginia's Consumer Data Protection Act (CDPA), it  does not include revenue thresholds and even applies to smaller businesses that derive less than 50% of their revenue from the sale of data.

Nonprofits operating in the healthcare sector may be exempted from compliance with the law as it excludes certain HIPAA regulated entities and certain types of health related information. Even so, you should check if the requirements of the law apply to your nonprofit organization by assessing whether your processing activity fits within one of the various categories of exemptions.  

Compliance with the Colorado Privacy Act means that not just for-profit entities have to follow the rules but also nonprofits, be they data controllers or data processors. What this means for you, as a nonprofit organization that controls personal information of Colorado residents, is that you have to follow the same rules as businesses which means, firstly, that you have to adhere to the seven duties outlined by the law, which are as follows:

• Duty of transparency: you have to provide your website visitors with “a reasonably accessible, clear, and meaningful privacy notice” that includes a series of details such as what data is being collected or processed, for what purposes, how consumers can exercise their rights under this law, and, where applicable, the categories of personal data shared with third parties and what category of third parties these are;
• Duty of purpose specification: you are required to “specify the express purposes for which personal data are collected and processed.”
• Duty of data minimization: the amount of data you collect has to be “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data was collected.”
• Duty to avoid secondary use: unless you first obtain the consent of your website visitors, you must  restrict the use of the personal data you collected to only the specified purposes for which you collected it in the first place.
• Duty of care: you are required to take “reasonable measures” to secure the safety of the personal data you collected. These measures have to be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
• Duty to avoid unlawful discrimination: you are prohibited from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
• Duty regarding sensitive data: before you can process the sensitive data of any individual, you are required to first obtain their consent. If the individual is a child, you must  obtain consent from the child’s parent or legal guardian. 

Secondly, you must conduct data protection impact assessments (DPIAs) for any processing activity “that presents a heightened risk of harm to a consumer.”

Examples of processing activities for which you need to evaluate potential harms to consumers are: 

• Processing of personal data for purposes of targeted advertisement; 

Colorado Privacy Act also recognizes a consumer’s right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data, or profiling. 

• Processing of sensitive personal data (such as religious beliefs, racial or ethnic origin, mental or physical health condition and diagnosis, citizenship or status, sex life or sexual orientation, etc.) 

A goal of such an assessment is to weigh if the processing and benefits of processing are adequate in view of potential risks and harms to consumers associated with processing. In some cases, additional security measures should be taken to protect personal data to decrease the risks. Data protection assessments should be made available to the attorney general upon request. 

The right to opt out is not the only right provided to data subjects by Colorado Privacy Act. Other consumer rights that you are required to provide include the right to access, correct, or delete their personal data, the right to data portability, and the right to appeal a decision you made about their data, such as a refusal to respond to their request. All consumer requests have to be replied to within 45 days with an additional 45 days extension, where reasonably necessary, except for the right to appeal where the extension is up to 60 days. 

What is more, keep in mind that, as of July 1, 2024, the Colorado Privacy Act recognizes universal opt-out mechanisms, such as GPC, which means that consumers can submit opt out requests through the use of such technologies which have to be recognized by your organization so you need to be prepared for the effective date of this.

The provisions of the Colorado Privacy Act  are enforced by both the state Attorney General and the District Attorneys and there is no private right of action. Until January 1st, 2025, in the event of a violation of the Colorado Privacy Act, the Attorney General or District Attorney will issue a notice of violation “if a cure is deemed possible.” If you fail to cure the violation within 60 days after receiving the notice, action may be brought against you. As far as penalties are concerned, under the Colorado Privacy Act, a violation is considered as deceptive trade practice, and the penalties for this can range between $2,000 and $20,000 per violation. 

For nonprofit organizations already acquainted with the GDPR, compliance with the Colorado Privacy Act should not be a difficult thing to achieve. However where that is not the case, the official text of the law, as well as the Colorado Privacy Act Rules are available, which we have discussed in a simplified manner in Part 1 and Part 2 of our overview of the Colorado Privacy Act (CPA) Final Rules.

What Are the Next Steps?

The short version to all of the above is that nonprofit organizations are not exempted from compliance with the Colorado Privacy Act. This means that you have a series of obligations just like any other covered for profit entity conducting business in the state of Colorado. These obligations include the seven duties, the requirement for a DPIA, allowing consumers to exercise their consumer rights, and recognizing universal opt-out mechanisms. 

In setting this threshold for applicability, Colorado’s privacy law has opened the door to other US states potentially expanding the applicability of their own privacy laws to include nonprofit entities, especially in light of the fact that targeted advertising is an increasingly discussed topic in the data privacy sector. 

This means that at least as far as Colorado is concerned, nonprofit organizations need to determine whether they are collecting the personal information of Colorado residents and develop a reliable data protection program to make sure they are ready to face consumer requests, and comply with transparency and minimization duties, to avoid penalties. 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

• All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
• Seamless integration into your website;
• Adaptability to your users’ location and applicable regulation;
• Customizable branding;
• ReadyCompliance™: Covering 30+ data privacy regulations;
• Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.