Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Alerts
    4. Colorado General Assembly passed the Colorado Privacy ActAlerts

    Alert / Data Privacy & Cybersecurity Alert

    Colorado General Assembly passed the Colorado Privacy Act

    June 11, 2021

    Share

    By Tracy Ickes

    What’s the Impact?

    • Colorado is poised to become the third state to create personal data privacy rights, imposing several new requirements on controllers.
    • The CPA applies to controllers that conduct business in Colorado, or deliver commercial products or services intentionally targeted to Colorado residents.
    • Companies should be aware of the applicable laws, and their individual nuances, in each state in which they operate.

    Colorado is set to become the third state to enact comprehensive privacy regulation. On June 8, the Colorado General Assembly passed the Colorado Privacy Act (the “CPA”). Once the CPA is transmitted to Governor Jared Polis, he will have ten days to sign or veto it. If signed, the effective date will be July 1, 2023.

    Protections for consumers

    Similar to California and Virginia’s privacy laws, the bill creates personal data privacy rights. Consumers have the right to opt out of processing of personal data for targeted advertising, the sale of personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” Consumers also have the right to authorize another to opt out of processing such data, including through preferences in web browsers. Of particular interest though, is that the attorney general is authorized to establish technical specifications for a user-selected universal opt-out mechanism.

    Consumers also have the right to access their personal data, correct inaccuracies in personal data, and delete personal data. Additionally, up to two times per year, a consumer may obtain personal data in a portable format that allows transfer to another entity.[1]

    Affected entities

    The CPA applies to controllers that conduct business in Colorado, or deliver commercial products or services intentionally targeted to Colorado residents, and:

    • Control or process personal data of more than 100,000 consumers per year, regardless of whether they derive revenue from it; or
    • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

    Data controller obligations

    The CPA also imposes a number of requirements on “controllers,” defined broadly as a person, alone or jointly with others, that determines “the purposes for and means of processing personal data.” Some of the obligations—such as responding to requests and providing privacy notices—are unremarkable. However, the CPA still warrants a careful look.

    First, the act requires controllers to limit collection of personal data to what is “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” The purpose for which data is processed must be stated in the privacy notices. Thus, controllers should pay close attention to how they identify the purpose for which data is processed, and ensure that it is consistent with their actual practices.

    Second, the act requires controllers to take reasonable measures to secure data, taking into account the volume, scope, and nature of the data processed and the nature of the business. While the CPA itself does not create a private right of action (as discussed below), victims of data breaches may rely on this to allege negligence per se.

    Third, the act requires controllers to conduct a “data protection assessment” of each processing activity that “presents a heightened risk of harm to a consumer,” including selling personal data, processing sensitive data, or targeted advertising that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, intrusion, or other “substantive injury.” These data protection assessments must be made available to the attorney general upon request, and the attorney general may evaluate them for compliance with other laws. This may permit broad inquiries, particularly in light of the FTC’s recent announcement that certain practices relating to artificial intelligence could violate the Fair Credit Reporting Act and the Equal Credit Opportunity Act.

    Enforcement

    Enforcement mechanisms under the CPA are limited. There is no private right of action, and only the attorney general and district attorneys have authority to enforce the act. The attorney general and district attorneys may seek injunctive relief, and violations of the act—after notice and an opportunity to cure—are deemed deceptive trade practices. However, no other form of relief or monetary penalty is specified.

    Looking ahead

    A patchwork of state-level privacy acts is emerging nationwide, with Colorado now joining California and Virginia, and each has unique features. Companies should be aware of the applicable laws, and their individual nuances, in each state in which they operate.

    Nixon Peabody’s Privacy & Cybersecurity Team will continue to monitor the changing landscape of state privacy laws.

    1. Note that these rights do not apply to pseudonymous data if the information necessary to identify the consumer is kept separately and is subject to both technical and organizational controls that prevent a controller from accessing the information. In addition, the CPA does not impose any obligation to maintain data in an identifiable form, or to re-identify data in order to respond to requests.
      [Back to reference]

    Practices

    Cybersecurity & Privacy

    Insights And Happenings

    • Alert

      More changes in the California Consumer Privacy Act (CCPA) landscape: What you need to know about the new regulations

      March 23, 2021
    • Alert

      The Virginia Consumer Data Protection Act—What businesses need to know

      March 5, 2021

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL