The Colorado Privacy Act (CPA) - Final Rules (Part 1)
On July 1, 2023, the Colorado Privacy Act (CPA) became effective. The CPA is unique because, contrary to the already effective California Consumer Privacy Act (CCPA), it does not exclude non-profit entities or have a monetary threshold for applicability. When it was signed, the Colorado Privacy Act required that the Colorado Attorney General would adopt additional rules, clarifying opt-out mechanisms requirements and consent.
Final Colorado Privacy Rules ("CPA Rules") provide clarifications on requirements of the Colorado Privacy Act and create obligations for organizations that conduct business or target more than 100,000 consumers annually in Colorado or profit from the sale of personal information of 25,000 or more Colorado residents (further referred to as "Controllers").
Below we discuss further key provisions of the CPA Rules.
Privacy notices, as well as other notifications and communications to consumers regarding personal information collection and processing, need to be designed in an understandable and accessible way for consumers and use straightforward, plain language, without technical and legal jargon. This requirement is very similar to the requirements of the General Data Protection Regulation ("GDPR").
Additionally, a language needs to be understandable to consumers and accessible for people with disabilities, for notices provided online. It is recommended to follow the Web Content Accessibility Guidelines (WCAG) to ensure that consumers with disabilities are able to access the information.
A notice must include an explanation of how consumers may submit a data subject request.
Data Subject Rights
CPA provides consumers with a number of data subject rights, including a right to access, delete, correct, or obtain a copy of their personal information, and a number of opt-out rights, such as the right to opt-out of targeted advertisements, the right to opt out of profiling (certain types) and the right to opt-out of sale.
Controllers have the right to choose the best way for their consumers to submit a request, given that:
- when interaction with a consumer takes place online only, a consumer shall only be required to provide an email to submit a request;
- when interaction with a consumer takes place both online and offline, two or more methods to submit a request shall be provided;
- when interacting with a consumer in person, an in-person method (printed form, a tablet, etc.) should be provided to allow consumers to submit a request directly.
All of the options mentioned above should be easily accessible to consumers, and communication should be made in an understandable and simple language.
A method doesn't have to be specific to Colorado, which is a relief for companies operating in more than one state, however, it has to indicate which rights are available to Colorado consumers clearly and provide them with a clear understanding of how to submit a request.
A method doesn't have to be specific to Colorado, however, it has to indicate which rights are available to Colorado consumers clearly and provide them with clear understanding on how to submit a request.
Right to opt-out
If they receive an opt-out request, Controllers shall cease the processing as soon as possible. If the request is received online and the consumer is not identified, it is allowed to request more information from the consumer to identify them.
While Controllers generally have 45 days to respond to a request, when consumers make use of more than one data subject right within one request or the request is complex, it is okay to complete the request within a longer period of time, however, an opt-out request should be satisfied earlier than other rights.
Maintaining a record of opt-out requests, as well as responses to consumers is mandatory.
Right to access
If they receive an access request, Controllers shall provide the consumer with all the pieces of personal data that is collected and maintained, including, but not limited to profiling decisions, marketing profiles, conclusions made based on the information in the profile, and other information which directly or indirectly identifies a consumer.
Where relevant, the provided information shall include explanations that would allow overage consumers to understand corporate jargon. Provided information should allow an overage consumer to make an informed decision of whether to exercise deletion, correction, or opt-out rights. Provision of information should be made taking into account the security of data.
When a right to access in a portable manner would reveal the Controller's trade secrets, the Controller must find a way to satisfy a request without revealing trade secrets in a non-portable format or any other appropriate way.
Having looked at the first set of requests consumers can submit, we will cover guidelines on how to process other request types in the second part of this series.