The Colorado Privacy Act (CPA) - Final Rules (Part 2)

In the first part of this blog series, we began looking at the Colorado Privacy Act (CPA), which became effective on July 1, 2023 and the final Colorado Privacy Rules ("CPA Rules") which provide clarifications on requirements of the Colorado Privacy Act and create obligations for organizations that conduct business or target more than 100,000 consumers annually in Colorado or profit from the sale of personal information of 25,000 or more Colorado residents (further referred to as "Controllers").    

Specifically, we previously discussed the general requirements of the Privacy Notice, as well as how to ensure that Data Subject Rights are communicated to your users in accordance with the requirements of the CPA. We also covered the Right to Access and Right to Opt-Out, and how to comply with these. Today we continue with other rights granted by the CPA covered by the CPA Rules, particularly the Right to Correction, the Right to Deletion, the Right to Data Portability, and requirements for the Universal Opt-out mechanism. 

Right to correction

All consumers have a right to correct inaccurate personal information about them that a Controller has and a Controller has to comply with a correction request by correcting information in all its systems, except archives and backups. The provision of necessary functions within a user's profile, which would give the users an opportunity to correct information about themselves, would be considered in compliance with CPA. However, clear instruction has to be provided to consumers. If you have received a request to correct information, you may also point out users to the guideline on how to correct their information in their profile within your system. 

As a Controller, you may be required to ask for more information before complying with a request to confirm that the information provided by a consumer is accurate. In doing so, you must take into account that: 

• You provide a clear explanation of why the information is required; 
• The submitted information is only processed to verify the consumer’s request; 
• Security measures currently in place also apply to this information; 

If the consumer rejects or ignores your request to submit additional information, and you have no documentation to support the accuracy, the consumer's assertion of inaccuracy shall be deemed sufficient, however, when there are documents supporting the accuracy of information stored and processed, as a Controller you may decide not to act upon the request, unless other factors apply. 

Right to deletion

Similar to the Right to correction, as a Controller you must permanently erase personal data from all your systems, except archives and backups. Anonymization of personal information in such a way that it cannot be reversed and traced back to an individual is also considered a compliant alternative to permanent deletion. 

In case an exemption applies, and you are required to continue storing information, you may comply with a deletion request by opting the consumer out of processing. In this case, you are permitted to continue storing information but not to process it.  

Right to data portability 

Consumers are provided with a right to receive their personal information in a portable way, in a readily usable format, or to request that it be transferred to another Controller.  To comply with the request, you must transfer personal information to a consumer through a secure method (which may include two-factor identification or sending an encrypted file separately from a key) in a commonly used readable format, which allows the user to read or transmit information further. 

A Controller is not required to provide personal information to a consumer in a manner that would disclose the Controller's trade secrets. When complying with a request to access Personal Data in a portable format, Controllers must provide as much data as possible in a portable format without disclosing the trade secret.

Universal opt-out mechanism 

The purpose of the Universal Opt-Out Mechanism is to provide consumers with a simple and easy-to-use method to exercise their opt-out rights. Universal opt-out mechanisms may express the consumer's choice to opt out of the targeted advertisement, sale, and profiling, separately or altogether. Global Privacy Control (GPC) is an example of such a signal, in which Controllers will have to monitor and comply with the choices signaled by the consumer.

As a Controller you must include in your Privacy Notice information on whether such signals are recognized and complied with, including any limitations. A valid Universal Opt-Out Mechanism shall indicate the consumer's freely given choice to opt-out. When processing a Universal Opt-Out Mechanism, you can not collect additional personal information beyond that which is strictly necessary to authenticate if the consumer is a resident of Colorado to determine that the mechanism represents a legitimate request to opt out of the Processing of personal information. 

The Colorado Department of Law will maintain a public list of Universal Opt-Out Mechanisms that have been recognized, which shall be released before January 1, 2024. 

Here and in the previous part of this overview,we provide a short version of the rules, focusing on data subject rights and how to comply with them. The Colorado Privacy Act Rules are much more comprehensive in this regard. If your company is a Data Controller falling under the requirement to comply with the Colorado Privacy Act, we recommend that you introduce yourself to the full version of the Colorado Privacy Act Rules, as they may help you better understand how to comply with CPA and avoid penalties, by acquainting yourself to the  requirements imposed on your website, the obligation to store proofs of compliance, to display a Privacy Notice, or maintain records.