Colorado Passes Comprehensive Privacy Law
Update Applicable to:
All employers doing business in Colorado who are classified as Controllers by the new law.
On July 7, 2021, Governor Jared Polis signed SB 21-109 into law.
What are the details?
Effective, July 1, 2023, the Colorado Privacy Act (CPA) will take effect. The law is applicable to businesses that are classified as “controllers”, which are defined as any entity that (i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either: (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents. Their new duties include:
The law provides new obligations to Controllers as well as new rights to consumers or a Colorado resident acting in an individual or household context. The CPA does not apply to data that is subject to other federal privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), and the Securities Exchange Act of 1934. Other data that is exempt is employment data, higher education institutions, nonprofits, state and local governments, and public utility customer records (so long as they are not sold).
Controllers will need to follow the new duties that are described in the law. These new duties include:
- Duty of transparency;
- Duty of purpose specification;
- Duty of data minimization;
- Duty to avoid secondary use;
- Duty to avoid unlawful discrimination;
- Duty regarding sensitive data.
In addition, controllers must also conduct data protection assessments for each processing activity involving a heightened risk of harm to Consumers, including:
- The sale of personal data;
- Processing of sensitive data; or
- Processing personal data for targeted advertising if it could lead to unfair or deceptive treatment or have a disparate impact on Consumers, financial or physical injury, physical or other intrusion upon seclusion, or other substantial injury.
Controllers must present these data protection assessments to the CO Attorney General upon request.
Controllers should be aware that the CPA empowers Consumers with new controls over their data, including the right to:
- opt out of the processing of certain personal data;
- access personal data (up to twice per calendar year);
- correct inaccurate data;
- delete personal data; and
- data portability.
Consumers may request access to their personal data, Controllers may not require that a Consumer create a new account in order to exercise this right (or retaliate with increased cost or decreased availability of a product or service). When responding to Consumer data requests, Controllers must:
- Take action on the Consumer’s request without undue delay and within 45 days of receiving the request—with few exceptions.
- Develop an internal process for Consumers to appeal refusals of data requests.
- Notify the Consumer that it may contact the Colorado Attorney General if the Consumer has concerns about the result of the response and outcome of appeal.
The law can be read here.
What do employers need to do?
Employers should review the new law and the information above to update any applicable policies and practices to stay in compliance and be prepared for when the law becomes active.