In brief
The Colorado Privacy Act (C.R.S. 6-1-1301, et seq.) (the “CPA“) comes into effect on July 1, 2023. Earlier this year, the Colorado Attorney General promulgated final rules for implementing the CPA (4 CCR 904-3) (the “Rules“). The Rules provide insight as to how the Attorney General may interpret and enforce the CPA. In this alert, we highlight several key aspects of the CPA and the Rules to help businesses focus their compliance efforts.
Background
The CPA is one of the many new state comprehensive privacy laws that have come on the heels of the California Consumer Privacy Act (the “CCPA“). Virginia’s law was effective on January 1 of this year; Connecticut’s law also becomes effective on July 1. Six other states have enacted similar consumer privacy laws which are slated to come into effect over the coming months and years. Per our previous alert, the CPA applies to controllers and processors that either (i) control or process personal data of 100,000 or more Colorado consumers during a calendar year; or (ii) control or process data of at least 25,000 Colorado consumer and derive revenue or receive discounts from the sale of personal data. Under the CPA, “personal data” is information that is linked or reasonably linkable to an identifiable individual. It does not include de-identified data or publicly available information. The CPA does not apply to employment or business to business (“B2B“) data.
In depth
The CPA follows a similar regulatory framework as other US state consumer privacy laws. However, there are certain unique features of the Colorado law that may present compliance challenges for businesses, as detailed below.
1. Loyalty Programs
Loyalty programs, which can offer businesses a way to strengthen customer relationships, have attracted increased federal and state regulatory scrutiny in recent years. The Rules do not require specific opt-in consent before a business may enroll a consumer in a loyalty program; however, a consumer’s participation must be voluntary. The Rules mandate particular disclosures that are different than those in the CCPA. Under CPA, the business must provide to consumers:
a) categories of personal or sensitive data collected under the loyalty program that will be sold or processed for targeted advertising;
b) categories of third parties that will receive such data;
c) list of loyalty program partners and the benefits provided by each partner;
d) an explanation of why a consumer’s request to delete their personal data makes it impossible to provide a loyalty program benefit, if applicable, and
e) an explanation of why sensitive data is required to provide a loyalty program benefit, if applicable.
Additionally, if a controller’s ability to provide the loyalty program benefit is impacted by a consumer’s exercising of their data rights, the controller should inform the consumer of this impact at least 24 hours before discontinuing the benefit.
2. Consent
The Rules also clarify certain requirements under the CPA for obtaining a consumer’s consent to process personal data. Per the Rules, consent that was obtained prior to July 1, 2023, will remain valid as long as the consent was validly obtained through the consumer’s clear, affirmative action, it was freely given, specific, and informed, and it represents the consumer’s unambiguous agreement. If not, or if the purpose for processing has changed or changes in the future or if there has been no interaction with the consumer in the past 24 months, the controller must seek new consent.
The Rules also permit a controller to seek new consent later in cases where a consumer opts out, subject to certain limitations (Rule 7.05). If a controller seeks consent after the consumer has opted out, the consent may not be obtained by methods that cause “consent fatigue” such as interface-dominating cookie banners, high frequency requests, cookie walls, or pop-ups. A controller may proactively send a consumer a link to provide consent if it reasonably believes that the consumer wants to opt back in, Similarly, if a consumer attempts to use a product or service that is inconsistent with their previous opt-out request, the controller may request new consent.
3. Data Subject Requests
Under the CPA, consumers have the right to confirm if a controller is collecting their personal data, to access their personal data, to download and remove personal data from a platform in a format that allows the transfer to another controller, and to correct and delete personal data. Consumers also have the right to opt out of the sale of their personal data, the use of their personal data for targeted advertising, and certain types of profiling.
The Rules provide clarifications on how controllers should receive and respond to requests. Under the Rules, a controller may provide a single method for consumers to exercise rights under the CPA and other state laws, but the platform must indicate clearly which rights are available to Colorado consumers (Rule 4.02(C)). The Rules also require a controller’s privacy notice to include a list of data rights available to Colorado consumers (Rule 6.03(A)(3)).
4. Data Protection Assessments
The CPA also requires controllers to conduct a data protection assessment when data processing “presents a heightened risk of harm” to consumers. The Rules provide detailed instructions on the assessments, including the expectation that all relevant internal and external stakeholders be involved (Rule 8.03).
Per the Rules, assessments must include: a summary of the processing activity; categories of personal data being processed; the context of the processing, including a description of the controller-consumer relationship; operational elements of the processing; the core purposes of the processing; the risks to the controller, consumers and other stakeholders, and measures the controller will employ to mitigate such risks; relevant internal and external stakeholders involved in the data protection assessment; and any audits conducted as part of the assessment. If the processing involves profiling, additional information should be included in the assessment (Rule 9.06).
Key Takeaways
The Rules confirm that, although the CPA shares a common overall framework with the CCPA and other recent consumer privacy laws, business should review their privacy programs carefully to ensure compliance with the new Colorado law. The US privacy landscape is already complex, and new laws like the CPA demonstrate that companies must find ways to leverage existing compliance resources and adapt to each law’s specific requirements.
If you have any questions on the CPA or need assistance with privacy law compliance, please contact any of the Baker McKenzie attorneys listed below.
