Update on Colorado Privacy Act

(SB 21-190)

The Colorado Privacy Act (“CPA”), (SB 21-90)  recently repassed the Colorado Senate on June 8, 2021, following their consideration of amendments by the Colorado House of Representatives and is now before Governor Polis for signature, who has indicated he will sign it.  Once enacted, the CPA generally will go into effect on July 01, 2023, although there are specific provisions for opt out that will be in place for two years pending the issuance of regulations by the Colorado Attorney General.  There is also an opportunity for citizens to file a petition seeking to have the law (or some of its provisions) changed by holding a public referendum on the November 2022 ballot.

Much like California and Virginia, the CPA creates consumer privacy rights including the right to opt-out of the processing of personal data, as well as the right to access, correct, or delete personal data, or to obtain a portable copy of personal data. 

AN OVERVIEW 

The CPA applies to an entity that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and satisfies one or more of the following threshold requirements: (1) it controls or processes the personal data of 100,000 Colorado consumers or more during a calendar year; or, (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes the personal data of 25,000 consumers or more.

The law defines personal data expansively; however, significantly, de-identified data or publicly available information is not considered personal. In general, personal data includes “information that is linked or reasonably linkable to an identified or identifiable individual.”    Additionally, personal data does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context,

Similar to the new California Private Rights Act (CPRA), the CPA includes a separate category of “sensitive data.” Notably, the definition of sensitive data includes genetic and biometric data that can be used to uniquely identify an individual.   The law does not include a separate definition of genetic and biometric data; however, it does state that sensitive data cannot be processed without first obtaining the consumer’s consent.

Significant for testing organizations, the definition of “personal data” does not include inferences drawn from any information used to create a profile about a consumer.  Nevertheless, the law does include a provision to allow consumers to opt out of profiling, which is defined as “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preference, interest, reliability, behavior, location, or movements.”   Clearly, this language has implications for the use of automated decision-making and AI.  Consequently, these provisions appear to be in conflict with one another and will undoubtedly create confusion; there will be  need clarification, most likely through implementation regulations.

The law specifies how controllers must fulfill duties regarding consumers' exercise of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and handling sensitive data.  If a controller obtains consumer consent, it must be “freely given,” requiring specific, informed, and unambiguous agreement (e.g., a written statement, including by electronic means, or other clear affirmative action signifying agreement).

Importantly, the law does not restrict a controller’s or processor’s ability to use personal data to: “… (IV) investigate, exercise, prepare for or defend actual  or anticipated legal claims; (V) conduct internal research to improve, develop, products, services, or technology; (VI) identify and repair technical errors that impair existing or intended functions; (VII) perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller; (VIII) provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract; (IX) protect the vital interests of the consumer or   of another individual; (X) prevent, detect, protect against, or respond to security incidents, identify theft, fraud, harassment, or malicious, deceptive, or illegal activity, preserve the  integrity or security of systems, or investigate, report, or prosecute those responsible for any such action;....

Exemptions to what constitute personal data include:  i) de-identified data; and ii) publicly available information. Publicly available information means “information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”

The law does not restrict a business from using de-identified personal information, provided the business (a) reasonably implements measures to ensure that the data cannot be associated with an individual; (b) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with the requirements of this subsection (11).

The law also contains an expansive list of information that is exempt from protection, notably: (a) protected health information that is collected, stored, and processed by a covered entity or its business associates under HIPAA; (b) information created by a covered entity for purposes of complying with HIPAA and its implementing regulations; (c) personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, The Driver’s Privacy Protection Act, the Children’s Online Privacy Protection Act (COPPA), or the Family Education Rights and Privacy Act (FERPA); and (d) data maintained for employment records purposes; and (e) data maintained by a state institution of higher education, the state, the judicial department or municipalities, provided the use of personal data is authorized by state and federal law for non-commercial purposes.

Insofar as Personal Data Rights, the CPA establishes the following consumer rights:

• Right to opt-out of processing personal data for purposes of targeted advertising; ii) sale of personal data; iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
• Right of access to the consumer’s personal data;
• Right to correct inaccuracies in the consumer’s personal data;
• Right to delete personal data concerning the consumer;
• Right to data portability.

In regard to Privacy Notice/Privacy Policy a controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes; 1) categories of personal data collected or processed; 2) the purpose for which the categories of personal data are processed; 3) how and where consumers may exercise their rights; 4) categories of personal data that the controller shares with third parties, if any; and, 5) categories of third parties, if any, with whom the controller shares personal data.

Further, the CPA defines a “processor” as a person that processes personal data on behalf of a controller.  The law further states that the responsibilities of a processor include: 1) meeting its respective obligations established under the law; 2) adherence to the instructions of the controller and assisting the controller to meets its obligations under the law; 3) ensuring that each person processing personal data is subject to a duty of confidentiality; 4) implementing appropriate technical and organizational measures to ensure an appropriate level of security that is commensurate with risk; and, 5) being subject to a binding contract between the controller and processor.   The CPA further states that a contract may not relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship.

As such, this provision recognizes the need and authorizes a testing organization controller to use the services of one or more vendors in performing the full range of testing services with whom test takers’ personal information must be shared.

In regard to children the CPA defines personal data from a known child under the age of 13 as “sensitive data.”  It further states that a controller shall not process a child’s sensitive data without first obtaining consent from the child’s parent or lawful guardian.

Insofar as Data Protection Assessments are concerned, the CPA requires that a controller conduct and document a data protection assessment of each of its processing activities that involve personal data that presents a heightened risk of harm to a consumer.   A heightened risk of harm is defined as the processing of (a) personal data for targeted advertising or profiling; (b) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (c) financial or physical injury to consumers; (d) physical or other intrusion upon the solitude or seclusion or private affairs or concerns of consumers; (e) other substantial injury to consumers; (f) selling personal data; and, (g) processing sensitive data.

Significantly, the CPA does not authorize a private right of action for a violation of its provisions or any other provision of law.   A violation of the law constitutes a deceptive trade practice. Notwithstanding, the attorney general and district attorneys have exclusive authority to enforce the law.   The attorney general is expected to promulgate rules to administer the law, including technical specifications for a universal opt-out mechanism that controls must use.

COMPARISON OF CPA AND CALIFORNIA’S CCPA/CPRA

• A high-level comparison of the CPA with CCPA/CPRA reveals the following keys:
• The CPA largely conforms with the final regulations on the CCPA enabling a coverd business/controller to use consumer’s personal information in a number of ways for legitimate business purposes, including sharing personal information with vendors to accomplish those business purposes.
• The CPA does not include a threshold requirement related to deriving a percentage of global revenue from selling or sharing personal data;
• The CPA and CCPA/CPRA both define personal data in a substantially similar ways, but the CDPA includes biometric data within its definition of personal data, although there is no definition of biometric data for guidance; and
• The CPA, similar to the CCPA, requires a controller to conduct a risk assessment of its use(s) of personal information, which assessment is protected from public disclosure and may be used for regulatory purposes.