Colorado Attorney General Begins Enforcement of the CPA

On July 12, 2023 Attorney General Phil Weiser sent letters to businesses in Colorado announcing that the Colorado Privacy Act enforcement would begin. Enacted back in 2021 and effective as of July 1, 2023, the CPA mandated that consumers had to be provided with a universal opt-out mechanism. Coupled with the fact that the final rules of the CPA are also in effect now, the AG's letters sent out mean that businesses will need to be ready to show compliance or risk facing the penalties imposed.

According to the press release on the official website of the Attorney General, the initial round of letters “will focus on educating companies that operate in Colorado on their new legal obligations. There is particular emphasis on obligations relating to the collection and use of sensitive data, including the requirement to obtain consumer consent prior to collecting sensitive data, and the obligation to allow consumers to opt out of targeted advertising and profiling.”

The CPA applies to any controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either

• Controls or processes the personal data of 100,000 consumers or more during a calendar year, or
• Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”

However, unlike California’s CCPA, or Virginia’s CDPA,  it does not include revenue thresholds and applies to smaller businesses who derive less than 50% of their revenue from the sale of data. 

As regards the definition of sensitive data, the CPA defines this as “personal data revealing: 

• racial or ethnic origin, 
• religious beliefs, 
• a mental or physical health condition or diagnosis, 
• sex life or sexual orientation, 
• citizenship or citizenship status,
• genetic or biometric data that may be processed for the purpose of uniquely identifying an individual,
• personal data from a known child.”

What this means for covered entities is that they have a series of obligations, as follows: 

• Providing consumers with clear, understandable, and transparent information about how and why they collect, store, use, share, and sell personal data;
• Responding to consumer requests to access, delete, correct, and get a portable copy of their personal data;
• Allowing consumers to opt out of the sale of personal data as well as targeted advertising and certain kinds of profiling;
• Obtaining consent before collecting or using sensitive data; and
• Only collecting the minimum amount of personal data necessary from consumers.

Additionally, controllers that process sensitive data have to conduct and document DPIAs (data protection impact assessments) and have to confirm that appropriate consent was obtained.

As far as targeted advertising is concerned, the CPA defines this as “displaying to a consumer an ad that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.” In layman’s terms, a website that uses advertising tracking technology such as the Meta pixel has to allow its visitors the option to turn off the tracking technology so that the visitor’s information will not be sold to the company owning the pixel. As such, those companies who use personal data for targeted advertising have the following obligations:

• Clearly and conspicuously disclose the sale or processing of data as well as the way in which a consumer may exercise their right to opt out. This can be done via a footer link such as one called “Your Privacy Choices,” a common name for this footer link that is aligned also to California’s consumer privacy law.
• Make sure that their websites listen for and process preference signals such as GPC (global privacy control), a technology that allows consumers to turn on one setting which will inform all websites that the consumers visit that they do not wish to have their personal information sold for the purpose of targeted advertising.

One final step businesses should take is to review their privacy policies and update these as needed, ensuring that consumers are informed about what is collected, how this is handled, and how consumers can exercise their data subject rights.

AG Phil Weiser stated in the aforementioned press release the following: 

“As I’ve said publicly throughout the process, this Department’s enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy. Our enforcement of this important law will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts. [...] These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

What this means for businesses is that they can probably expect a firm approach from the AG’s office but also a reasonable and collaborative approach. However, that is not to say that the penalties will not sting, as CPA mandates penalties going up to $20,000 per violation and up to $500,000 for repeated violations.