The Colorado Privacy Act, or CPA, is the third data privacy regulation passed in the United States, which regulates the way organizations obtain, process, use, store, and share personal information. Effective since July 1, 2023, the Colorado Privacy Act stands out through its inclusion of nonprofit organizations, as opposed to other US privacy laws, such as California, Utah, Virginia, or Connecticut, all of whom exclude nonprofit organizations from compliance.
In terms of applicability, the Colorado Privacy Act regulation applies to any controller, including nonprofits, that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either controls or processes the personal data of 100,000 consumers or more during a calendar year, or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”
Unlike the California Consumer Privacy Act (CCPA), or Virginia's Consumer Data Protection Act (CDPA), it does not include revenue thresholds and even applies to smaller businesses that derive less than 50% of their revenue from the sale of data.
Nonprofits operating in the healthcare sector may be exempted from compliance with the law as it excludes certain HIPAA regulated entities and certain types of health related information. Even so, you should check if the requirements of the law apply to your nonprofit organization by assessing whether your processing activity fits within one of the various categories of exemptions.
Compliance with the Colorado Privacy Act means that not just for-profit entities have to follow the rules but also nonprofits, be they data controllers or data processors. What this means for you, as a nonprofit organization that controls personal information of Colorado residents, is that you have to follow the same rules as businesses which means, firstly, that you have to adhere to the seven duties outlined by the law, which are as follows:
Secondly, you must conduct data protection impact assessments (DPIAs) for any processing activity “that presents a heightened risk of harm to a consumer.”
Examples of processing activities for which you need to evaluate potential harms to consumers are:
Colorado Privacy Act also recognizes a consumer’s right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data, or profiling.
A goal of such an assessment is to weigh if the processing and benefits of processing are adequate in view of potential risks and harms to consumers associated with processing. In some cases, additional security measures should be taken to protect personal data to decrease the risks. Data protection assessments should be made available to the attorney general upon request.
The right to opt out is not the only right provided to data subjects by Colorado Privacy Act. Other consumer rights that you are required to provide include the right to access, correct, or delete their personal data, the right to data portability, and the right to appeal a decision you made about their data, such as a refusal to respond to their request. All consumer requests have to be replied to within 45 days with an additional 45 days extension, where reasonably necessary, except for the right to appeal where the extension is up to 60 days.
What is more, keep in mind that, as of July 1, 2024, the Colorado Privacy Act recognizes universal opt-out mechanisms, such as GPC, which means that consumers can submit opt out requests through the use of such technologies which have to be recognized by your organization so you need to be prepared for the effective date of this.
The provisions of the Colorado Privacy Act are enforced by both the state Attorney General and the District Attorneys and there is no private right of action. Until January 1st, 2025, in the event of a violation of the Colorado Privacy Act, the Attorney General or District Attorney will issue a notice of violation “if a cure is deemed possible.” If you fail to cure the violation within 60 days after receiving the notice, action may be brought against you. As far as penalties are concerned, under the Colorado Privacy Act, a violation is considered as deceptive trade practice, and the penalties for this can range between $2,000 and $20,000 per violation.
For nonprofit organizations already acquainted with the GDPR, compliance with the Colorado Privacy Act should not be a difficult thing to achieve. However where that is not the case, the official text of the law, as well as the Colorado Privacy Act Rules are available, which we have discussed in a simplified manner in Part 1 and Part 2 of our overview of the Colorado Privacy Act (CPA) Final Rules.
The short version to all of the above is that nonprofit organizations are not exempted from compliance with the Colorado Privacy Act. This means that you have a series of obligations just like any other covered for profit entity conducting business in the state of Colorado. These obligations include the seven duties, the requirement for a DPIA, allowing consumers to exercise their consumer rights, and recognizing universal opt-out mechanisms.
In setting this threshold for applicability, Colorado’s privacy law has opened the door to other US states potentially expanding the applicability of their own privacy laws to include nonprofit entities, especially in light of the fact that targeted advertising is an increasingly discussed topic in the data privacy sector.
This means that at least as far as Colorado is concerned, nonprofit organizations need to determine whether they are collecting the personal information of Colorado residents and develop a reliable data protection program to make sure they are ready to face consumer requests, and comply with transparency and minimization duties, to avoid penalties.
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.