What is CPA?
Along with California and Virginia, the Colorado Privacy Act, known also as the CPA, is the third data privacy regulation passed by state legislatures in the USA. The CPA regulates the way organizations are allowed to obtain, process, use, store and distribute personal information.
The CPA is similar to California’s and Virginia’s regulations however it has certain nuances, such as mandating a universal opt-out right for consumers, which organizations must understand to ensure compliance. The CPA will go into effect on July 1st, 2023, by which time the Colorado Attorney General, whose office will be enforcing the CPA, should provide additional guidance regarding compliance as well as technical specifications for the universal opt-out right.
What is Personal Information and what are other key definitions?
The CPA defines personal information as personal data, meaning “information that is linked or reasonably linkable to an identified or identifiable individual” but which does not include “de-identified or publicly available information”.
Under CPA, a child is “an individual under thirteen years of age” and consent is “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.”
Just like with other privacy laws, Colorado’s Privacy Act makes a distinction between personal data and sensitive data, which is defined as “personal data revealing:
- racial or ethnic origin,
- religious beliefs,
- a mental or physical health condition or diagnosis,
- sex life or sexual orientation,
- citizenship or citizenship status,
- genetic or biometric data that may be processed for the purpose of uniquely identifying an individual,
- personal data from a known child.”
Last but not least, according to the CPA, sale means “the exchange of personal data for monetary or other valuable consideration by a controller to a third party,” while consumers are defined as individuals who are Colorado residents acting only in an individual or household context, without including employees, job applicants, or beneficiaries of employees.
It is important to note that selling of data specifically excludes several types of disclosure of data, similar to the CDPA, namely:
- Disclosures to a processor that processes the personal data on behalf of a controller;
- Disclosures of personal data to third parties for purposes of providing a product or service requested by the consumer;
- Disclosures or transfer or personal data to an affiliate of the controller’s;
- Disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; and
- Disclosure of personal data:
- That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
- Intentionally made available by a consumer to the general public via a channel of mass media.
Who has to comply with the CPA?
The CPA applies to any controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either
- Controls or processes the personal data of 100,000 consumers or more during a calendar year, or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”
Unlike the CCPA, or the CDPA, does not include revenue thresholds and applies to smaller businesses who derive less than 50% of their revenue from the sale of data.
Keep in mind that individuals could have multiple IP addresses tied to their personal information which means that the 100,000 consumers threshold can easily be reached.
Who is excluded from CPA compliance?
The CPA excludes from compliance several types of entities and of data:
- Certain HIPAA- regulated entities, but not all of them exclusively, only specific health care controllers;
- Entities that are regulated by the Gramm-Leach-Bliley Act;
- Air carriers that are subject to the Federal Aviation Administration Regulation;
- National security associations that are regulated by the Securities Exchange Act;
- De-identified data;
- Personal data that is regulated by the COPPA, the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act of 1994;
How can I keep my organization CPA compliant?
CPA outlines a series of duties that companies must adhere to in order to be compliant:
- Duty of transparency: you have to provide your website visitors with “a reasonably accessible, clear, and meaningful privacy notice” that includes:
- The categories of personal data that you collect and/or process;
- The reasons for processing their personal data;
- How they submit data access requests or appeal decisions about these;
- The categories of data that you share;
- The third parties that you share data with - as is the case;
- Clear information about the sale or processing of their personal data as well as a means to opt out of these.
- Duty of purpose specification: you are required to “specify the express purposes for which personal data are collected and processed.”
- Duty of data minimization: the amount of data you collect has to be “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data was collected.”
- Duty to avoid secondary use: unless you first obtain the consent of your website visitors, you are required to restrict the use of the personal data you collected to only the specified purposes for which you collected it in the first place.
- Duty of care: you are required to take “reasonable measures” to secure the safety of the personal data you collected and these measures have to be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
- Duty to avoid unlawful discrimination: you are prohibited from processing personal data “in violation of state or federal laws that prohibit unlawful discrimination against consumers.”
- Duty regarding sensitive data: before you can process the sensitive data of any individual you are required to first obtain their consent for this. If the individual is a child, you have to obtain consent from the child’s parent or legal guardian.
In addition to these 7 duties, the CPA also mandates that you conduct data protection assessments stating that you cannot conduct a processing activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities,” and that any data processing done by a processor has to be “governed by a contract between the controller and the processor,” which establishes “the processing instructions to which the processor is bound, including the nature of the processing, the type of personal data subject to the processing, and the duration of the processing.”
What data access rights does CPA grant?
The CPA gives consumers five main rights:
- Right to access: giving them “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
- Right to correct: meaning ““the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.”
- Right to delete: meaning ““the right to delete personal data concerning the consumer.”
- Right to data portability: which is “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
- Right to Opt Out: giving your website visitors “the right to opt out of the processing of personal data concerning the consumer for purposes of:
- targeted advertising;
- the sale of personal data, or
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”
Similar to the CDPA, it adds another right: the Right to Appeal. Consumers can appeal your decision to not reply to their data subject access request directly with you but if their appeal receives an unfavorable answer or if they are worried about what the decision was, they have to be informed in a “conspicuously available” and “easy to use” way how to contact the Attorney General.
How should companies address data subject access requests under CPA?
Upon receiving a data subject access request, you have to follow several steps:
- Authenticate the request “using commercially reasonable efforts” and if that is not possible, you are allowed to “request the provision of additional information reasonably necessary to authenticate the request.” Unless you are able to do this, you are not required to comply with the request.
- Once the authentication process is complete, you have to inform the person that submitted the request of the action(s) taken within 45 days of receiving the request, or of the need for an extension of time of another 45 days “where reasonably necessary, taking into account the complexity and number of the requests.”
- The information you provide following a request has to be free of charge, with the exception that for a second or subsequent request within a 12 month period, you may charge an amount, calculated according to section 24-72-205 (5) (a) of the Colorado Revised Statutes.
- If you do not take any action on a request, you have to inform the person who sent the request within the initial period of 45 days of this, along with the reason for not taking any action and instructions on how to appeal this decision.
- Within 45 days of receiving an appeal, you have to inform the person who submitted the appeal of your decision, along with a written explanation, or you have the option to extend the period of time by an additional 60 days “where reasonably necessary”.
- At the end of either the 45 days or the 60 days period, if the person that submitted the appeal is worried about the result you provided, they have to be informed by you of their ability to contact the Attorney General.
Enforcement and penalties
The provisions of the CPA are enforced by both the state Attorney General and the District Attorneys. There is no private right of action under CPA.
Until January 1st, 2025, in the event of a violation of the CPA, the Attorney General or District Attorney will issue a notice of violation “if a cure is deemed possible.” If you fail to cure the violation within 60 days after receiving the notice, action may be brought against you.
As far as penalties are concerned, under CPA, a violation is considered as deceptive trade practice, and the penalties for this can range between $2,000 and $20,000 per violation, according to the Colorado Revised Statutes, Title 6.
Data Subject Rights - GDPR vs. CPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right to Opt Out
- Right to appeal
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.