Who Is Regulated Under the Colorado Privacy Act?
The Colorado Privacy Act regulates certain businesses that the law terms “controllers.” To qualify as a controller, a business must meet two threshold requirements.
It must:
- Determine the purposes for and the means of processing personal data
- Either conduct business in Colorado OR produce or deliver commercial products or services targeted to Colorado residents
Meeting these two requirements alone does not bring a business within the scope of the Colorado Privacy Act.
A business must meet one or both of the following additional requirements to be considered a covered controller:
- Control or process the personal data of 100,000 consumers or more during a calendar year
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 consumers or more
The Colorado Privacy Act also regulates processors. The law defines a “processor” as “a person or entity that processes personal data on behalf of a controller. The processor, in effect, is to the controller, as a HIPAA business associate is to a HIPAA covered entity.
What is Personal Data Under the Colorado Privacy Act?
The Colorado Privacy Act regulates the processing and controlling of personal data. The Colorado Privacy Act defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” Like HIPAA protected health information, personal data does not include de-identified information or publicly available.
The Colorado Privacy Act also protects a particular class of personal data known as “sensitive personal data.” The Colorado Privacy Act defines “sensitive personal data” as “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child.”
Colorado Privacy Act and Obligations of Controllers
Under the Colorado Privacy Act, controllers must take the following measures concerning consumer personal data:
- Provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that outlines:
- Categories of personal data collected or processed by the controller or processor(s)
- The purposes for the processing
- How consumers can exercise the rights granted to them by the Colorado Privacy Act
- The categories of personal data the controller shares with third parties and the third parties with whom the controller shares the personal data
- Disclose, in a conspicuous manner, any sale of consumer data, and how a consumer may opt-out of the sale or processing of personal data.
- Limit the collection of personal data to what is adequate, relevant, and “reasonably necessary in relation to the specified purposes for which the data are processed.”
- Must take reasonable measures to secure personal data. These measures must be compatible with the data’s scope, volume, and nature. To comply with this requirement, controllers should assess their existing cybersecurity policies, procedures, and controls to ensure consistency with industry-recognized standards.
- Enter into written contracts with processors that regulate how the processors will process data. Under the Colorado Privacy Act, the contract must identify:
- The purpose of the processing
- The type of personal data to be processed
- The duration of the processing
- Obtain consumer consent before processing sensitive personal data. This consent must be in the form of a clear, affirmative act, such that the consent is freely given, specific, informed, and unambiguous.
What Rights Does the Colorado Privacy Act Grant to Consumers?
The Colorado Privacy Act protects Colorado residents by granting them specific rights concerning their personal data.
The law allows consumers to submit requests to data controllers. Data controllers must, upon request, permit consumers to:
- Opt-out of the processing of personal data for targeted advertising, sale, or profiling
- Confirm if a controller is processing their personal data
- Access their personal data
- Correct inaccuracies in their personal data
- Delete personal data that concerns consumers
- Obtain a copy of their data in a portable manner, if that is technically feasible
The Colorado Privacy Act requires data controllers to respond to an authenticated request within 45 days. Controllers must also establish a process through which consumers may appeal any denial of a request.
Colorado Privacy Act and HIPAA Safe Harbor
The Colorado Privacy Act does NOT apply to protected health information collected, processed, or stored by HIPAA covered entities and business associates. This does not mean that the Colorado Privacy Act leaves health information unregulated. The law specifically exempts from its coverage health data subject to regulation by certain other federal laws. Health data not exempted from CPA coverage by other state or federal law is subject to CPA regulation.