Comprehensive Data Privacy Rules Reach Colorado: How to Comply With the Colorado Privacy Act
| Publication year | 2023 |
| Pages | 24 |
ANTITRUST AND CONSUMER PROTECTION LAW
BY JESSICA J. ARETT AND EMILY F. KEIMIG
This article discusses the provisions of the Colorado Privacy Act, a new law that imposes stricter requirements for protecting consumer data.
The last few years have seen a sea change in the way governments around the world address issues related to citizen and consumer privacy, and this year Colorado officially added to the tsunami. On July 1, 2023, the Colorado Privacy Act (the Act) came online, joining California,[1]Connecticut,[2] and Virginia[3] in this new frontier (with other states joining soon).[4]
Although the Colorado Attorney General's Office finalized the rules for the Act (rules) on March 15, 2023, many questions remain for companies seeking to implement compliance programs. This article provides an overview of the requirements of the Act and rules and offers practical tips for companies as they attempt to comply with the law.
General Framework of the Act
Though there are some key differences, Colorado's law is largely modeled from two similar laws"”the California Privacy Rights Act (CPRA) and the European Union's General Data Protection Regulation (GDPR). The Act and its accompanying rules have certain distinct components that companies and nonprofit organizations interacting with Colorado consumers should consider when creating their privacy programs and policies.
Brief History of Recent Data Privacy Laws
In 2016, the European Union enacted the GDPR, which shifted the paradigm for thinking about data privacy.[5] Before the GDPR, most general privacy laws relied on a disclosure model: as long as companies disclosed to consumers how they intended to use their data, consumers had no choice but to either not engage with that company or accept that company's representation that it would use the consumers' data as disclosed. The GDPR changed this framework, requiring companies not just to disclose how they are using their data but also to have a
“ Importantly, and in contrast to the CPRA and the GDPR, the Act explicitly exempts from protections individuals acting ‘in a commercial or employment context,’ meaning that employment and business-to-business data is not subject to the Act.”
legal basis for any given use. The GDPR also provided consumers with new rights, including the now-famous "right to be forgotten." Essentially, the GDPR shifted consumer data from a resource that companies had total control over to a resource that companies j ointly control with the consumers who provide the data.
The changed framework has been an attractive model for US lawmakers, because when state legislatures have considered comprehensive privacy laws, multinational companies have advocated for frameworks similar to the GDPR to simplify compliance. As a result, when California became the first state in the nation to pass a comprehensive privacy law, it borrowed much of its framework from the GDPR. Since then, the states that have enacted comprehensive data privacy laws, including Colorado, have done the same.[6]
What Data Is Protected?
The Act defines personal data as information that is linked or reasonably linkable to an identified or identifiable individual. The protections apply to data of "consumers," defined as Colorado residents "acting only in an individual or household context."[7] Importantly, and in contrast to the CPRA and the GDPR, the Act explicitly exempts from protections individuals acting "in a commercial or employment context," meaning that employment and business-to-business data is not subject to the Act.[8] This comes as a huge relief to employers in particular, as protections for employee data are typically covered by other, potentially conflicting, laws.
Who Must Comply?
Unlike the CPRA and the GDPR, Colorado's law specifically targets entities that process large amounts of personal consumer data. The Act uses many definitions found in the GDPR, including "controller" for entities that determine the purpose for and means of processing data (defined as collecting, using, selling, storing, disclosing, analyzing, deleting, or modifying) and "processor" for entities like vendors that process data on behalf of a controller.[9] The Act applies to any legal entity (including a nonprofit entity) that conducts business in Colorado or provides products or services in Colorado that are "intentionally targeted" to residents of Colorado and (1) annually controls or processes personal data of at least 100,000 Colorado residents or (2) derives revenue (or receives discounts) from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents.[10] Thus, the Act creates an incentive for companies to avoid selling or obtaining some economic benefit from selling personal data.
The Act exempts certain entities that are required to comply with other data privacy laws (such as financial institutions covered by the Gramm-Leach-Bliley Act). Furthermore, certain types of data are not subject to the Act (e.g., data that is already protected by HIPAA).[11]
Consumer Rights
One of the Act's primary goals is to provide consumers with more control over their data held by entities subject to the Act. As a result, the Act grants consumers new rights, including the rights to access, correct, and in some cases delete data held by the entity about them; the right to obtain a copy of their personal data in a portable format; and the right to opt out of certain uses of their data.[12] Specifically, the opt-out gives consumers the right to opt out of (1) the processing of their personal data for purposes of targeted advertising, (2) the sale of their personal data, and (3) the use of their data for "profiling" when the profiling is done as part of a decision that has legal or similarly significant effects...
To continue reading
Request your trial