Colorado CPA

Who is excluded from CPA compliance? 

The CPA excludes from compliance several types of entities and of data: 

• Certain HIPAA- regulated entities, but not all of them exclusively, only specific health care controllers;
• Entities that are regulated by the Gramm-Leach-Bliley Act;
• Air carriers that are subject to the Federal Aviation Administration Regulation;
• National security associations that are regulated by the Securities Exchange Act;
• De-identified data;
• Personal data that is regulated by the COPPA, the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act of 1994;
  
  

How can I keep my organization CPA compliant? 

CPA  outlines a series of duties that companies must adhere to in order to be compliant: 

1. Duty of transparency: you have to provide your website visitors with “a reasonably accessible, clear, and meaningful privacy notice” that includes: 

• The categories of personal data that you collect and/or process;
• The reasons for processing their personal data;
• How they submit data access requests or appeal decisions about these;
• The categories of data that you share;
• The third parties that you share data with - as is the case;
• Clear information about the sale or processing of their personal data as well as a means to opt out of these.

1. Duty of purpose specification: you are required to “specify the express purposes for which personal data are collected and processed.”
2. Duty of data minimization: the amount of data you collect has to be “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data was collected.”
3. Duty to avoid secondary use: unless you first obtain the consent of your website visitors, you are required to restrict the use of the personal data you collected to only the specified purposes for which you collected it in the first place.
4. Duty of care: you are required to take “reasonable measures” to secure the safety of the personal data you collected and these measures have to be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
5. Duty to avoid unlawful discrimination: you are prohibited from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
6. Duty regarding sensitive data: before you can process the sensitive data of any individual you are required to first obtain their consent for this. If the individual is a child, you have to obtain consent from the child’s parent or legal guardian. 

In addition to these 7 duties, the CPA also mandates that you conduct data protection assessments stating that you cannot conduct a processing activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities,” and that any data processing done by a processor has to be “governed by a contract between the controller and the processor,” which establishes “the processing instructions to which the processor is bound, including the nature of the processing, the type of personal data subject to the processing, and the duration of the processing.” 

What data access rights does CPA grant? 

The CPA gives consumers five main rights: 

• Right to access: giving them “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
• Right to correct: meaning ““the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.”
• Right to delete: meaning ““the right to delete personal data concerning the consumer.”
• Right to data portability: which is “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
• Right to Opt Out: giving your website visitors “the right to opt out of the processing of personal data concerning the consumer for purposes of:
• targeted advertising;
• the sale of personal data, or
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

Similar to the CDPA, it adds another right: the Right to Appeal. Consumers can appeal your decision to not reply to their data subject access request directly with you but if their appeal receives an unfavorable answer or if they are worried about what the decision was, they have to be informed in a “conspicuously available” and “easy to use” way how to contact the Attorney General. 

How should companies  address data subject access requests under CPA? 

Upon receiving a data subject access request, you have to follow several steps: 

• Authenticate the request “using commercially reasonable efforts” and if that is not possible, you are allowed to “request the provision of additional information reasonably necessary to authenticate the request.” Unless you are able to do this, you are not required to comply with the request. 
• Once the authentication process is complete, you have to inform the person that submitted the request of the action(s) taken within 45 days of receiving the request, or of the need for an extension of time of another 45 days “where reasonably necessary, taking into account the complexity and number of the requests.”
• The information you provide following a request has to be free of charge, with the exception that for a second or subsequent request within a 12 month period, you may charge an amount, calculated according to section 24-72-205 (5) (a) of the Colorado Revised Statutes.
• If you do not take any action on a request, you have to inform the person who sent the request within the initial period of 45 days of this, along with the reason for not taking any action and instructions on how to appeal this decision. 
• Within 45 days of receiving an appeal, you have to inform the person who submitted the appeal of your decision, along with a written explanation, or you have the option to extend the period of time by an additional 60 days “where reasonably necessary”.
• At the end of either the 45 days or the 60 days period, if the person that submitted the appeal is worried about the result you provided, they have to be informed by you of their ability to contact the Attorney General. 
  
  

Enforcement and penalties

The provisions of the CPA  are enforced by both  the state  Attorney General and the District Attorneys. There is no private right of action under CPA.

Until January 1st, 2025, in the event of a violation of the CPA, the Attorney General or District Attorney will issue a notice of violation “if a cure is deemed possible.” If you fail to cure the violation within 60 days after receiving the notice, action may be brought against you. 

As far as penalties are concerned, under CPA, a violation is considered as deceptive trade practice, and the penalties for this can range between $2,000 and $20,000 per violation, according to the Colorado Revised Statutes, Title 6.

Data Subject Rights - GDPR vs. CPA