Colorado Privacy Act Signed Into Law: What You Need to Know

Privacy law is a trending topic in the United States. In the shadow of groundbreaking GDPR laws in the European Union, the lack of federal privacy laws in the U.S. has become blatantly apparent. In absence of federal privacy laws, a small number of states have enacted state privacy laws. In this article, we will provide a brief overview of key takeaways of the new Colorado Privacy Act.

It’s interesting to note that the US’s perspective on personal data protection is “sectoral,” which means that information privacy protection laws are generally aimed at a specific industry. In contrast, the European Union’s general approach, and more specifically- the GDPR’s approach, is a “comprehensive” model which outlines sweeping data privacy and security requirements for organizations of all sizes and in all industry categories. To date, there is no USA federal privacy law in effect, but individual states have modeled their own privacy laws in a “comprehensive” model, not unlike the GDPR

Colorado Privacy Act Signed Into Law

What are Privacy Laws?

Generally speaking, privacy laws are divided into two groups: vertical and horizontal. 

Vertical privacy laws protect personal, private information such as medical records financial details, and identity data. 

Horizontal privacy laws control how organizations make use of or sell information, regardless of the level of sensitivity of the context. The types of data covered by these laws include biometric data and other less sensitive personally identifiable information (PII) such as names and addresses.

Let’s Dive In

The Colorado Privacy Act was signed into law on July 8, 2021, making Colorado the third state to pass a privacy law to protect the personal information of its residents. The Colorado new laws usher in additional compliance obligations for businesses that engage with Colorado residents both online and offline starting in 2023. The Colorado Privacy Act’s effective date is July 1, 2023. The law covers any entity that conducts business in Colorado or intentionally provides services, or delivers products to state residents that either:

  • Control or process the personal data of 100,000 or more consumers a year
  • Control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of persona data

The CPA Outlines 5 Consumer Rights

Controllers have an obligation to communicate to consumers a process by which they may submit a request regarding their personal data, access it, correct errors, delete it, and subsequently appeal any previously mentioned decision. 

Right to Access

Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”

Right to Correction

Consumers have “the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”

Right to Delete

Consumers have “the right to delete personal data concerning the consumer.”

Right to Data Portability

Consumers have “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”

Right to Opt-Out

Consumers have “the right to opt-out of the processing of personal data concerning the consumer for purposes of

  • targeted advertising
  • the sale of personal data
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

Controllers must establish a user-selected universal opt-out mechanism by the deadline of July 1, 2024.

Right to Appeal

According to the Colorado Privacy Act regulations, a consumer request must be responded to within 45 days of receipt. The covered entity may subsequently extend that deadline by an additional 45 days if they are able to show reasonable necessity. However, when the deadline is extended, the consumer must be notified within the initial 45-day response period.

When a business does not participate with the consumer’s request to exercise rights or if they decline to respond, the CPA mandates the controller provide an appeal process that “must be conspicuously available and easy to use.”

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

The CPA Outlines 7 Controller Obligations 

Duty of Transparency

The CPA requires a controller to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” This notice must include:

  • Informational categories collected or processed by the controller
  • Planned purpose of processing the data
  • How consumers can exercise their previously mentioned rights and appeal
  • Which categories of personal information were shared
  • Which type of third parties data is shared with

If the data will be sold to a third party or designated for advertising campaigns, the controller shall “clearly and conspicuously disclose the sale or processing” as well as the opt-out mechanism.

Duty of Purpose Specification

Upon collection of personal data, a controller must “specify the express purposes for which personal data are collected and processed.” 

The law seems to require something more than the standard “how we use your information “ section in a privacy policy. According to a Colorado Privacy Act summary, businesses would be required to specify the specific purposes for which data is collected and processed in “sufficiently unambiguous, specific, and clear” terms. 

Duty of Data Minimization

The Colorado Privacy Laws propose a policy of data minimization where “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”

Duty to Avoid Subsequent Use

Without consent, it is illegal for a controller to process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”

Duty of Due Care

Controllers must take security precautions to store and use data by imposing due care. Measures of due care must be in accordance with the “volume, scope, and nature of the personal data processed.”  

Duty to Avoid Personal Discrimination

It is illegal for controllers to process personal information that violates state or federal laws regarding unlawful discrimination against consumers.

Duty of Protecting Sensitive Data

Sensitive data is inferential information that indicates racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, or citizenship. Consent must be obtained before processing sensitive data unless four questions can be answered positively: 

  1. the purpose of the processing is obvious to a “reasonable Consumer”
  2. both the underlying personal data and the Sensitive Data Inferences are deleted within 12 hours of collection or completion of the processing activity
  3. the data is not sold or even shared with any processors
  4. the data is not processed for any secondary purpose 

If the business does consent (it most likely will), the Draft Colorado Rules set forth extensive requirements for consent. 

The CPA will only be going into effect starting from 2023, but it is always a good idea to get an early start to assess your data privacy obligations and begin working toward Colorado Privacy Law compliance. At Centraleyes we keep an eye out for evolving data privacy laws and update our platform as the law is amended. If you have any questions regarding the Colorado Privacy Act, feel free to reach out to us.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Skip to content