Insights
Colorado Privacy Act – Enforcement is here
Jul 18, 2023The Colorado Privacy Act (“CPA”), Colorado’s first comprehensive consumer privacy law, came into effect on July 1, 2023. Like many new privacy laws, though, there has been uncertainty surrounding when meaningful enforcement would start and what any such enforcement activities would target. The Colorado Attorney General’s Office has made clear in a recent press release, however, that enforcement is coming. In this release the AG’s office confirmed its plans to start notifying companies of their potential noncompliance and to generally focus on a few key issues as discussed below. As a reminder, the CPA applies to entities that operate in Colorado or target Colorado citizens and, annually, either collect more than 100,000 consumers’ personal data, or receive revenue or otherwise benefit from the sale of personal data and process the personal data of more than 25,000 consumers.[1] Notably and unlike most US state privacy laws, not-for-profit organizations meeting these thresholds are also subject to the CPA.
In this July 12, 2023 press release, the Attorney General noted, “As I’ve said publicly throughout the process, this Department’s enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy. Our enforcement of this important law will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts. These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
As expected, the initial rounds of letters will focus on educating companies of their legal obligations under the CPA, with a particular focus on compliance with the sensitive data requirements and the obligation to allow consumers the right to opt out of targeted advertising and profiling. As part of these efforts, enforcement actions are likely to also focus on required disclosures in privacy policies.
With this in mind, key areas of focus for CPA compliance should include as a starting point:
- Providing a “reasonably accessible, clear, and meaningful privacy notice” that informs Colorado consumers about how their personal data is processed, including what types of data are collected, how the data is used and shared, the purposes of the processing of personal data, and how consumers can exercise their data subject rights.[2]
- Obtaining opt-in consent before processing sensitive data.[3]Under the CPA “sensitive data” means (i) personal data “revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status”; (ii) genetic or biometric data that may be “processed for the purpose of uniquely identifying an individual,” OR (iii) personal data from a known child.[4]
- Providing consumers the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. An organization that processes personal data for purposes of targeted advertising or the sale of personal data is required to provide a clear and conspicuous method outside of the privacy policy to exercise the right to opt out of the processing of personal data concerning the consumers.[5]
Note that until January 1, 2025, prior to any enforcement action, the Attorney General must issue a notice of violation to the organization if a cure is possible. If the organization fails to cure the violation within 60 days, only then can the Attorney General bring an enforcement action.[6]
Nevertheless, the consequences for failing to comply with the CPA can be stiff and implementing the CPA’s requirements will require time and effort across the entire organization. The Colorado Attorney General and local district attorneys are responsible for enforcing the CPA. Violating the CPA is deemed a deceptive trade practice under Colorado law, and fines can be up to $2,000 per violation, per consumer, up to a maximum penalty of $500,000.[7]
If your organization has not done so already, now is the time to consider whether the CPA applies and, if so, what compliance measures will be required.
[1] Col. Rev. Stat. § 6-1-1304(1).
[2] Col. Rev. Stat. § 6-1-1308(1)-(2).
[3] Col. Rev. Stat. § 6-1-1308(7).
[4] Col. Rev. Stat. § 6-1-1303(24).
[5] Col. Rev. Stat. § 6-1-1306(1)(a)(III).
[6] Col. Rev. Stat. § 6-1-1311(1)(a)(d).
[7] Col. Rev. Stat. § 6-1-1311.
Related Practice Areas
-
Data Privacy & Security