Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. What your business needs to know about the new Colorado Privacy ActArticles

    Article

    What your business needs to know about the new Colorado Privacy Act

    July 14, 2021

    Share
    Colorado became the third state in the U.S. to adopt its own set of comprehensive privacy laws, known as the Colorado Privacy Act aimed at protecting the use and sale of its residents’ personal and sensitive data. This blog post provides a high level summary and key takeaways regarding the new regulations.

    On Thursday, July 8, 2021, Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, making Colorado the third state in the U.S., joining Virginia and California, to adopt its own set of comprehensive privacy laws aimed at protecting the personal and sensitive data of its residents. Enforcement of the CPA will not begin until July 1, 2023, giving businesses time to ensure that they are compliant with CPA requirements.

    CPA highlights & key takeaways

    The good news is that the CPA is similar to the Virginia Consumer Data Protection Act (“VCDPA”), the California Consumer Privacy Act (“CCPA”), and the California Privacy Rights Enforcement Act (“CPRA”). As such, your business may already have the processes and infrastructure in place to begin adjustment in business practices to ensure compliance with the CPA. Below is a list of notable differences and key takeaways every business should be aware of while collecting, selling, processing, and using Colorado consumer personal and sensitive data:

    • Applicability of the CPA

      • The CPA seeks to protect the personal and sensitive data of Colorado consumers. “Consumers” under the CPA is limited to Colorado residents acting in an individual or household context. “Consumers” under the CPA do not include residents acting in a commercial or employment context.

      • Similar to the European General Data Protection Regulation, the CPA adopts the controller-processor framework. The CPA applies to all businesses (a) conducting business in Colorado or (b) producing products or services aimed at Colorado consumers, when such businesses meet one or both of the following thresholds: (x) controls or processes the personal data of 100,000 or more Colorado consumers in a calendar year and/or (y) derives revenue or receives discounts from selling personal data and/or processes or controls the personal data of 25,000 or more Colorado residents.

        The CPA does not define what is considered “conducting business,” similar to the VCDPA, CCPA, and CPRA.

        Note that unlike the CCPA and CPRA, the CPA does not have a revenue threshold—meaning that it applies to all businesses (including nonprofit organizations) that meet the requirements above, provided such business type is not exempt.

      • The CPA does not apply to certain specified entities, such as air carriers, as well as personally identifiable information collected pursuant to certain federal and state laws including, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act.

    • Consumer rights under the CPA

      • Under the CPA consumers have certain rights with respect to the processing of their personal and sensitive data, including:

        • The right to access, correct, delete, or request a copy of their personal data in a portable format.

        • The right to opt out of the sale of their personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

        • The right to opt-in to the processing of sensitive data, which includes, but is not limited to data that identifies racial or ethnic origin, religious beliefs, citizenship or citizenship status, and sexual orientation. This right also applies to children’s data and genetic or biometric data used to uniquely identify a person.

    • Duties & obligations of businesses regulated by the CPA

      • Controllers are required to conduct and document all data protection assessments for activities that pose a reasonably foreseeable heightened risk of harming consumers.

      • Controllers and processors are required to contractually document their relationship. Contracts must include certain information and provisions that, among other requirements:

        • defines the type of data subject to, and duration of, the processing;

        • imposes confidentiality obligations on the persons engaged in processing;

        • gives the controller an opportunity to object to the use of subcontractors;

        • imposes a requirement that any subcontractors processing personal data must be bound by the same obligations, by way of written agreement, as the processor under the underlying agreement; and

        • imposes security requirements on both parties.

      • Controllers must respond within forty-five (45) days to an authenticated consumer request for his/her/they/them personal data, which can be extended by forty-five (45) additional days where reasonably necessary. Controllers must create a process to address consumers’ appeals to a controller’s unresponsiveness to a given request.

      • Controllers selling personal data or using it for targeted advertising, must have privacy notices that “clearly and conspicuously” disclose that fact and how consumers can opt out. Opt-out information must be provided in a “readily accessible location outside the privacy notice.” Note that the regulations do not specify how controllers must present consumers with these opt-out rights. By July 1, 2024, consumers must be permitted to opt out of the sale of their data or its use for targeted advertising through a “user-selected universal opt-out mechanism” determined by the attorney general.

      • Controllers must allow consumers to opt into the use of their sensitive data (defined above), before processing such data.

    • Enforcement under the CPA
      • Under the CPA, Colorado’s Attorney General and state district attorneys are responsible for enforcing the provisions of the CPA, subject to a 60-day cure period for any alleged violations of the CPA. Such cure-period is currently available to businesses until 2025. The Colorado Attorney General is authorized to adopt rules regarding issuing opinion letters and guidance that businesses may rely on in good faith, creating a defense for businesses against an alleged violation of the CPA.

      • Although the CPA preempts any local or county Colorado laws and does not provide consumers with a private right of action, a violation of the CPA would be considered a deceptive trade practice under the Colorado Consumer Protection Act (the “Act”). Violations under the Act may result in the imposition of civil penalties of up to $2,000 per violation (i.e., per consumer and per transaction) with a maximum penalty of $500,000 for related violations.

    The key takeaways above provide a high level summary highlighting some of the requirements of the CPA. Businesses should ensure that they not only understand and comprehend these key takeaways, but also ensure that they are compliant with all of the duties and obligations applicable to processors and controllers engaged in the sale and use of Colorado residents’ personal and sensitive data. As more states begin to adopt their own privacy laws aimed at protecting the personal data of their residents, businesses should continue to create a data privacy and cybersecurity infrastructure that provides clear notices to consumers regarding the use and sale of their personal data and continue to stay abreast of the changing privacy landscape in the U.S.

    PrivacyConsumer Privacy

    Practices

    Cybersecurity & Privacy

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL