A little more than three months ago, we wrote about the impending expansion of the state privacy patchwork. At the time, Virginia’s Consumer Data Protection Act (VCDPA) was a signature away from becoming law, with promising efforts also underway in Washington and Oklahoma. Now, with VCDPA officially on the books and many state legislative sessions winding down for the year (the Washington and Oklahoma bills eventually failed to pass), the new privacy landscape is coming into focus, but not before one last twist. A month ago, Colorado legislators surprised many by passing their own comprehensive privacy legislation, the Colorado Privacy Act (CPA). With Governor Polis’s recent approval of the measure, Colorado becomes just the third state to adopt comprehensive privacy rules, following California and Virginia’s lead. App developers should take a moment to review the law to understand its scope and determine what steps they may need to take to comply before it takes effect on July 1, 2023. We provide some highlights here.
Applicability
CPA applies to any data controller that conducts business in Colorado or produces or delivers products or services that are intentionally targeted to residents of Colorado and controls or processes the personal data of at least 100,000 Colorado consumers in a calendar year or derives revenue from the sale of personal data of 25,000 or more Colorado consumers in a year. Notably, the applicability thresholds here diverge from California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CRPA), which include a minimum revenue threshold; if you are a data controller that meets the above specifications, revenue does not factor into your liabilities under the law.
Despite CPA’s expansive scope, it does create several exemptions for data already regulated through certain sector-specific privacy laws and other special cases. For instance, among numerous other carveouts, the bill exempts protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), personal data covered by the Gramm-Leach-Bliley Act (GLBA), personal data regulated by the Children’s Online Privacy Protection Act (COPPA), certain data maintained by the state, and certain data maintained by public utilities.
Consumer Rights
In general, businesses compliant with the General Data Protection Regulation (GDPR), VCDPA, or CCPA/CPRA should already be familiar and well-positioned to comply with many of CPA’s consumer rights provisions. Similar to those laws, CPA includes basic consumer rights to access, correct, delete data, as well as the right to opt out of the sale of personally identifiable information. Importantly, the definition of “sale” under CPA hews closest to the definition under CCPA/CPRA and means the “exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Developers should be particularly aware of the inclusion of the term “valuable consideration,” which expands the definition of sale to include many transactions beyond strict data-for-money transfers.
Another key feature to note is that similar to VCDPA, CPA requires controllers to obtain affirmative opt-in consent for the processing of sensitive data, which under the bill means “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship status.” Also note that the definition of “sensitive data” in CPA differs from the definitions offered in GDPR, VCDPA, and CCPA/CPRA respectively, each of which includes a different combination of protected characteristics.
Like VCDPA, CPA also goes further than CPRA/CCPA by allowing consumers to opt-out of the processing of personal data for the purposes of targeted advertising and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” Under CPA, “targeted advertising” means “displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time” based on the consumer’s activities on third-party websites. Meanwhile, “profiling” means “any form of automated processing of personal data” in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, such as a lending decision.
Another novel feature of CPA is that consent may not be achieved through dark patterns, a term defined to mean “a user interface designed or manipulated to with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” The inclusion of language around dark patterns meshes with recent Federal Trade Commission (FTC) interest in the topic, and developers should remain aware that further guidance and/or rulemaking on dark patterns is likely at the federal level.
Finally, effective July 1, 2024 (one year after the underlying law becomes effective), controllers must allow users to effectuate their opt-out preferences through a universal opt-out mechanism that meets certain technical specifications as established by future rulemaking through the state attorney general. A universal opt-out provision was previously explored in CPRA, which currently makes compliance optional (pending CA AG rulemaking, due January 1, 2023). This feature is intended to simplify the process of opting-out such that consumers can signal their preferences across to the board to controllers with a single click, likely through a browser-level control similar to an ad-blocking plug-in.
Enforcement
Enforcement authority for CPA will be shared between the Colorado Attorney General’s Office and state district attorneys, which will consider a violation of the law a deceptive trade practice. In Colorado, deceptive trade practices can result in civil penalties of up to $20,000 per violation per consumer, creating a theoretically potent multiplier effect if the violation is widespread. Like the VCDPA, CPA does not include a private right of action for data breaches, as is the case with CCPA/CPRA.
Unique enforcement provisions of CPA include its preemption clause, which precludes counties, cities, and municipalities from enacting differing comprehensive privacy requirements, meaning privacy law in Colorado should remain stable for the time being. CPA also features a right to cure period that sunsets after July 1, 2025. Until then, controllers will have 60 days to cure a violation following the mandatory notice from the attorney general or district attorney. Additionally, by July 1, 2025, the state attorney general may issue opinion letters and interpretative guidance to clarify certain aspects of the law.
As the state privacy patchwork continues to evolve, the App Association will remain a resource for updates, including any new promising bills or substantive rulemakings. Stay tuned, and in the meantime, follow the App Association and INF on Twitter for timely updates and thought leadership on all things privacy.