What is Colorado Privacy Act (CPA)

Definition of Personal Data

• Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual.
• The CPA also categorizes certain data as “Sensitive Personal Data” which includes:
  • Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
  • Personal data from a known child.
• Publicly available and de-identified personal data are not covered under the law.
• Certain forms of Personal Data are exempt from the law:
  • Medical data covered under any medical laws: Many forms of health information, records, data and documents protected and covered under HIPAA, or other federal or state medical laws have been exempted.
  • FCRA covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
  • Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
  • FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
  • Employment data: Personal data maintained for employment records;

Who must comply?

• CPA applies to all data controllers who conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado - if they match any one or both of these conditions:
  • If they control or process the personal data of 100,000 consumers or more during a calendar year; or
  • If they derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.
• The following entities are exempt from complying with CPA:
  • GLBA entities: Financial Institutions or data which is subject to the federal Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. SEC. 6801 ET SEQ., as amended, and implementing regulations, including Regulation P, 12 CFR 1016. are exempt.
  • COPPA compliant entities: Controllers and processors that comply with the Children's Online Privacy Protection Act (COPPA) will be deemed to be in compliance with the CPA;
  • Air Carriers: an air carrier as defined in and regulated under 49 U.S.C. SEC. 40101 ET SEQ., as amended, and 49 U.S.C. SEC. 41713 are exempt.
  • National Securities Association: A National Securities Association registered pursuant to the federal "Securities Exchange Act Of 1934", 15 U.S.C. SEC. 78o-3, as amended, or implementing Regulations are exempt.
  • Public Utilities and Authorities: customer data maintained by a public utility as defined in Section 40-1-103 (1)(a)(I) or an authority as defined in Section 43-4-503 (1) is exempt from the law if the data is not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law.
  • State Institution: data maintained by a state institution of higher education, as defined in Section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes is exempt from the law.

Colorado Privacy Act Enforcement and Penalties

Unlike the VCDPA that can be enforced only by the Virginia Attorney General, the Colorado Privacy Act can be enforced either by the Attorney General or District Attorney, or both. In the event of a notice served by the AG or DA, the controller will be provided 60 days to fix the violation. A non-compliant business or entity shall be fined up to 20,000 per violation.

Important Exceptions

The CPA does not apply to:

• Data processed in an employment or commercial (business-to-business) context: Personal data processed by a controller, processor, or third party is exempt from the application of this law:
  • If the individual data subject is acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
  • If the personal data is maintained for employment records purposes.
  • As the emergency contact information of an individual used for emergency contact purposes;
• Data processed for free speech or household purposes: Nothing in this law applies to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law or the processing of personal data by an individual in the course of a purely personal or household activity.
• Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to improve or repair products, services, or technology or to identify and repair technical errors that impair existing or intended functionality or to undertake internal operations reasonably aligned with the consumer’s expectations for performance of a service or provision of a product.
• Data processed for legal obligations: Nothing in this law restricts a controller or processor from complying with other applicable laws, to claim or defend legal claims or cooperate with government authorities or investigations.
• Data processed to protect vital interests or security: Nothing in this law restricts a controller from processing data for protecting the vital interests of the consumer or of another individual or to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Data processed for public health reasons: Nothing in this law restricts controllers from processing personal data for reasons of public interest in the area of public health, but solely to the extent that the processing is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

What is the Purpose of the Colorado Privacy Act?

Colorado Privacy Act protects the personal information of Colorado residents by setting new standards for the collection, use, and protection of personal data by businesses operating in the state. The act seeks to give individuals greater control over their personal information and to promote transparency and accountability in the handling of such information by companies.

It further addresses the growing concerns around the misuse and exploitation of personal data, particularly in light of recent high-profile data breaches and privacy violations. The act requires businesses to implement appropriate security measures to protect personal data, and to be transparent about their data practices by providing individuals with information about the data they collect, how it is used, and whom it is shared with.

In short, the Colorado Privacy Act aims to ensure that businesses handle personal information responsibly and securely and to give individuals greater control and visibility over how their personal data is collected, used, and protected.