/cloudfront-us-east-2.images.arcpublishing.com/reuters/JEUL2B5V7BJCFMRTKGOS3ZSN4Y.jpg "Hungary’s anti-LGBTQ law breaches international rights standards – European rights body")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/DYF5BFEE4JNPJLNCVUO65UKU6U.jpg "The curious case of a map and a disappearing Taiwan minister at U.S. democracy summit")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/UF7R3GWJGNMQBMFSDN7PJNRJ5Y.jpg "Blinken touts deeper U.S. engagement amid concern over ‘aggressive’ China")
United States:
Signed the Colorado Privacy Act: What You Need To Know
July 14, 2021
Kramer Levin Naftalis & Frankel LLP
To print this article, all you need to do is register or log in to Mondaq.com.
On July 7, 2021, the Colorado Governor signed the Colorado Privacy Act (CPA), which follows similar data protection laws in California and Virginia and is in line with a growing national trend. The effective date for the CPA is July 1, 2023, subject to a 60-day healing period through 2024.
Kramer Levin has developed the following checklist to better understand your company:
- Whether the CPA applies to your company
- What consumer rights it manages and how they compare to the laws of California and Virginia
- How do you react to consumers who exercise these rights?
- Best practices to ensure compliance
For companies that have already taken steps to comply with California and Virginia privacy laws, the good news is that the CPA has significant overlap. The CPA also adopts terms and principles from the European General Data Protection Regulation (GDPR), including the assignment of certain responsibilities to companies that collect consumer data (so-called “controllers”) and companies that process data on behalf of a controller (so-called “processors”) ). For more information, see our previous articles on California and Virginia Privacy Laws and the GDPR.
Checklist for the Colorado Privacy Act
Does the CPA apply to your company?
- The CPA applies to all businesses, including nonprofits, that operate in Colorado or provide goods or services to Colorado residents that meet any of the following thresholds:
- Processes the personal data of 100,000 or more consumers per year
- Earns income or receives a discount on the price of goods or services from the sale of personal data and processes the data of 25,000 consumers per year
- However, similar to the laws of California and Virginia, the CPA does not apply to information subject to the Health Insurance Portability and Accountability Act, the Graham-Leach-Bliley Act, or the Fair Credit Reporting Act, along with certain other information already subject to federal law
- In addition, the CPA exempts certain services requested by consumers (e.g. delivery apps) and publicly available information (e.g. web scraping). The CPA’s definition of publicly available information is broader than that defined under California law
If so, the company must give consumers the following rights:
- Right to opt out
- Colorado consumers have the right to object to the processing of their personal information for (1) targeted advertising, (2) profiling, or (3) the sale of that information
- Like California law, the CPA requires a universal “opt-out” button for websites
- Right of access
- Colorado consumers have the right to certify whether a company is processing and accessing their personal information
- Right to rectification
- Colorado consumers have the right to correct inaccuracies in the information collected about them
- Right to cancellation
- Colorado consumers have the right to request a company erase their personal information
- Right to data portability
- Colorado consumers have the right to receive personal information in a portable and easy-to-use format
Recommended Best Practices for CPA Compliance:
- Companies that have not yet done this should map their data flows and determine which personal data they store and process and where and how they are stored
- Businesses are required to conduct privacy assessments for specific activities, including targeted advertising, sales, and processing of sensitive personal data
- Businesses should review and update their privacy policies to capture all required communications to consumers as described above
- All CPA consumer rights are also granted under the privacy laws of California and / or Virginia
- Companies should also review their agreements with third parties with whom they share personal data
- Like the GDPR, the CPA assigns certain obligations and liabilities to the controllers of personal data and to the processors who process this data as a service for the controller
- Next, businesses should develop procedures to respond to consumer requests to exercise their rights under the CPA, including:
- Answering consumer inquiries within 45 days
- Allow consumers to request one free request per year
- Authenticate the consumer’s request or reject the request if it cannot be authenticated
- Establish an “available and user-friendly” internal process for consumers to object to any denied request
- The right to object is included in the Virginia Privacy Act, but not in California
- Responding to any such objection within 45 days of receipt, including a written explanation of the action taken and the reasons for such action
- Businesses can extend the deadline for responding to the objection by an additional 60 days, provided they provide the consumer with a reasonable explanation of the delay within the initial 45-day deadline
- In contrast, Virginia’s privacy law allows 60 days to respond to an appeal
- Informing the consumer of the option to contact the Colorado Attorney General regarding the results of the appeal
Additional obligations of companies under the CPA
- Companies must also meet the following obligations set out in the CPA:
- Transparency obligation
- Similar to the privacy laws of California and Virginia, the CPA requires businesses to provide consumers with a reasonably accessible, clear, and meaningful privacy statement that includes:
- The categories of personal data that are collected or processed by the company
- The purposes for which the categories of personal data are processed
- How and where consumers can exercise their rights under the CPA
- The categories of personal data that the company shares with third parties
- The categories of third parties with whom the company shares personal data
- When a company sells personal data to third parties or processes personal data for targeted advertising, the company must or will clearly disclose the sale or processing and the manner in which a consumer can exercise the right to object to the sale processed
- Similar to the privacy laws of California and Virginia, the CPA requires businesses to provide consumers with a reasonably accessible, clear, and meaningful privacy statement that includes:
- Intended use
- A company must state the express purposes for which it collects and processes personal data
- Duty to minimize data
- According to similar principles of the European GDPR, the collection of personal data by a company under the CPA must be adequate, relevant and limited to what is reasonably necessary in relation to the stated purpose for which the data is collected
- Duty to avoid secondary uses
- A company may not process personal data for purposes that are not appropriate or compatible with the stated purposes for which the personal data are collected without the consent of the consumer
- Duty of care
- A company must take appropriate measures to protect personal data from unauthorized access, both during storage and during use
- Duty to Avoid Unlawful Discrimination
- A company must not process personally identifiable information in violation of any state or federal law that prohibits unlawful discrimination against consumers
- Duty regarding sensitive data
- A company needs to conduct data assessments in relation to sensitive data
- A company cannot process sensitive data of a consumer without first obtaining the consumer’s consent
- Like the privacy laws of California and Virginia, the CPA creates a category of “sensitive” personal information that includes race or ethnicity, religion, health status, sexual orientation, citizenship, biometric information, and other personally identifiable information
- Transparency obligation
enforcement
- The CPA does not create a private right of action for individuals to sue violators; Instead, the Attorney General and Colorado District Attorneys retain exclusive enforcement powers and can impose fines of up to $ 20,000 per violation
- As mentioned above, the CPA won’t go into effect until July 2023, with a healing period until 2024
- Beginning in 2025, although the healing phase is over, the CPA will allow companies to seek advice from the Colorado Attorney General in the form of statements and letters without action regarding their privacy practices
- The laws of California and Virginia do not provide a way for such guidance.
The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.
POPULAR ARTICLES ON: Privacy Policy from the United States
8 tips for GDPR-compliant data protection guidelines
Klein Moynihan Turco LLP
Consumer inboxes have recently been flooded with notices of updates to the privacy policy. This is essentially the result of the new General Data Protection Regulation (“GDPR”) implemented by the European Union (“EU”).
CCPA registration deadline July 1, 2021!
Klein Moynihan Turco LLP
On July 1, 2021, the California Consumer Privacy Act (“CCPA”) requires companies to collect personal information from 10,000,000 …
