Colorado Becomes the Third State to Pass State-Mandated Privacy Requirements | Apptega

With more new state privacy requirements, how can you manage them all with clear insight into compliance readiness?

Similar to existing laws in California and Virginia, the state of Colorado recently passed a privacy law to protect personal information.

Gov. Jared Polis formally signed the Colorado Privacy Act late on the afternoon of July 7, 2021; however, the provisions will not go into effect until July 1, 2023.

The act will empower all consumers with the ability to protect their privacy and will mandate that companies are responsible custodians of consumers’ personal information.

Where did the Colorado Privacy Act originate?

The Colorado Privacy Act originated as Colorado Senate Bill 21-190, sponsored in the state’s Senate by Sen. Robert Rodriguez and Sen. Paul Lundeen.

According to a report in The Colorado Sun, Rodriguez was moved to sponsor the bill after he got a COVID-19 test in 2020 and, when accessing his results, he was asked a number of personal questions to verify his identity. It spawned a number of questions for the Senator about who has access to this type of information and the role technology plays in both the volume of data created and collected, but also stored, shared, and analyzed.

The law was introduced in the Colorado Senate in March 2021 and underwent some revisions once it moved over to the state House that summer. The final act was approved in late June 2021 before the governor signed it into law in July.

What does the Colorado Privacy Act do?

The Colorado Privacy Act gives consumers the right to access, correct, and delete their personal information, including the right to opt out of that having their data collected, used, and sold.

It also requires that companies safeguard this information and provide consumers with clear, understandable, transparent information about how they use personal information. In addition, it will now require those companies to undergo assessments related to the collection and use of personal data.

Under the law, these companies will be required to:

• Specify data collection purposes
• Minimize data collection
• Ensure secure collection of personal information
• Not use data that violates any federal or state anti-discrimination laws
• Not use collected personal information for secondary purposes
• Receive consent to process some types of sensitive personal information

Who will enforce the Colorado Privacy Act?

By passing the law, Colorado’s Attorney General and District Attorneys throughout the state can now access and evaluate those data protection assessments to impose fines when there are violations with a goal of preventing future violations.

The law does not include specifications for individual right of action against the covered entities.

The Colorado Attorney General will take the lead role in establishing rules for CPA implementation, including technical requirements that define how companies can move forward with opt-out options as well as requirements about CPA best practices.

The AG is expected to provide those technical specifications by July 1, 2023, that will include one or more universal “opt-out” mechanisms that clearly communicate “a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for advertising or sale of that data.”

That opt-out mechanism won’t be a default option, but it must be consumer-friendly, clearly described, and easy to use.

If a consumer chooses to opt out, the company cannot unfairly disadvantage that consumer.

By Jan. 1, 2025, the AG may adopt rules to govern how it will issue opinion letters and offer guidance for an operational framework that includes good faith reliance on the defense of action that could constitute a CPA violation.

What will Colorado Privacy Act non-compliance penalties look like?

The Colorado Attorney General or District Attorney must always issue a violation notice to a covered entity if it is believed a cure is possible. If the entity fails to cure the issue within 60 days of the notice, the AG or DA can move forward with further action. It’s interesting to note here that in California and Virginia, where similar laws are in play, the time to address a notice of violation is half – only 30 days.

As of now, the act does not provide any specifications regarding fines and penalties; however, any violation of the Colorado Privacy Act is considered a “deceptive trade practice,” and therefore penalties fall under the Colorado Consumer Protection Act. Ultimately, this can result in a civil penalty of no more than $2,000 per violation, with the maximum civil penalty to not exceed $500,000.

When does the Colorado Privacy Act go into effect?

Although the Colorado Privacy Act was signed in the summer of 2021, the provisions won’t go into effect formally for two more years until July 1, 2023.

Who is a “consumer” as defined by the Colorado Privacy Act?

Based on the Colorado Privacy Act, a consumer is considered any Colorado resident who acts in context as an individual or household but does not include a person acting in a commercial or employment context. For example, it would not apply to a job applicant or beneficiary of a person acting in an employment role.

What is a “controller” as defined by the Colorado Privacy Act?

According to the Colorado Privacy Act, a controller is a person who acts alone or with others to determine the purpose for and means of producing personal data.

Who must be compliant with the Colorado Privacy Act?

The Colorado Privacy Act applies to all legal entities that conduct business within the state that produces or delivers commercial goods or services to Colorado residents with some caveats:

• If the covered entity controls or processes personal information for 100,000 Colorado residents or more during a calendar year
• If the covered entities receive revenue or discounts by selling personal information and if they also process and control personal information for 25,000 (or more) state residents

Interestingly, unlike other state-based privacy laws in California and Virginia, the Colorado act does not have similar monetary thresholds related to compliance.

Is anyone exempt from the Colorado Privacy Act?

According to a summary of the law shared by the Colorado General Assembly, the law does not apply to certain specified entities, including personal data governed by listed state and federal laws, listed activities, and employment records.

The Colorado Privacy Act does not apply to:

• Protected health information (PHI) that a covered entity or its business associate collects, stores, or processes
• Healthcare information governed by other sections of CPA
• Patient identifying information defined in 42 CFR 2.11, governed by, collected, and processed related to 42 CFR 2 pursuant to 42 U.S.C. Sec 290dd-2
• Identifiable private information defined in 45 CFR 46.102
• Information and documents a covered entity creates to comply with HIPAA regulations
• Patients safety work product defined in 42 CFR 3.20 for patient safety improvement

To see additional exclusions, check out CPA 6-1-1304.2.

What are some other relevant terms I should know about as it applies to CPA?

• A controller is a person who determines the purposes for, and means of, processing personal data either alone or jointly with others.
• A processor is a person who processes personal data on behalf of a controller.
• The sale of personal data is defined as the exchange of personal data for monetary (or other valuable consideration) by a controller to a third party. Check out CPA section 6-1-1303: Definitions to see “sale” exclusions as outlined by the act.

What is considered personal data?

The Colorado Privacy Act defines personal data as any information linked (or reasonably linkable) to an identified or identifiable person. It doesn’t include de-identified data or data that’s publicly available.

In this context, “publicly available” data is data considered as information that’s lawfully available from local, state, or federal government records and any information the covered entity believes the consumer lawfully made publicly available.

Of note, there are some additional consumer consent requirements for what’s considered “sensitive data” as defined by CPA. This could include information such as sexual orientation, religion, ethnic background, citizenship state, health or mental health conditions, or other health information such as biometrics and genetics.

Do other states have similar laws?

Yes. Other states, such as California and Virginia, have similar privacy laws on the books; however, many U.S. states are now considering similar mandates. To see an up-to-date map of the status of these proposed and in-effect laws, check out the International Association of Privacy Professionals (IAPP) U.S. State Privacy Legislation Tracker.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 went into effect on Jan. 1, 2020. Similar to Colorado’s new law, it allows California consumers to:

• Know about the personal information a business collects, how it’s used, and how it’s shared
• Delete (with some exceptions) personal data collected
• Opt out of the sale of their personal data
• Not experience discrimination for exercising opt-out rights

CCPA applies to all for-profit businesses that do business in California and:

• Have a gross annual revenue of more than $25 million
• Buy, receive, or sell personal information of 50,000 or more California residents, households, or devices, or
• Derive 50% or more of annual revenue from selling California residents’ personal information

CCPA violations can reach up to $2,500 per unintentional violation and up to $7,500 for each intentional violation.

What is the Virginia Privacy Act?

The Virginia Consumer Data Protection Act (VCDPA) became law on March 2, 2021, making it the second U.S. state (after California) to enact a privacy law.

VCDPA gives consumers the right to “access, correct, delete, obtain a copy of personal data, and to opt-out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.”

VCDPA becomes effective on January 1, 2023.

VCDPA applies to businesses that conduct business within Virginia or produce goods and services used by Virginia residents if the organization:

• Controls or processes personal data of at least 100,000 consumers during a calendar year
• Controls or processes personal data of at least 25,000 consumers and gets at least 50% of its gross revenue from personal data sales

What about a federal mandate?

While the United States does not have a formalized federal mandate for data privacy like the European Union’s (EU), General Data Protection Regulation (GDPR), there are other sector-related privacy mandates, for example, HIPAA and the U.S. Privacy Act of 1974, that govern some privacy requirements.

For now, individual state laws and those existing federal regulations will guide privacy mandates. Will lawmakers eventually agree on a unified federal framework? Interestingly, earlier this year, President Biden issued Executive Order 14028, “Improving the Nation’s Cybersecurity,” which mandates all software vendors that work with the federal government report breaches to relevant government partner agencies. Will something similar follow suit for more generalized federal privacy standards? Only time will tell as there’s a mixed response around the nation about whether that will be good or bad for businesses.

Is the New York Financial Services Cybersecurity Regulation similar?

While there may be some privacy components to New York’s Department of Financial Services Cybersecurity Regulation – for example, customer data privacy – the law’s primary focus is cybersecurity regulations for the state’s financial services industry.

The regulations apply to DFS-regulated organizations that are authorized to do business in New York through its banking law, financial services law, or insurance law—regardless of the organization’s headquarters’ location.

The regulations extend beyond banks and also include licensed lenders, mortgage companies, services providers, and insurance companies, with some exceptions.

How can Apptega help me with Colorado Privacy Act compliance?

As with many security and privacy frameworks, once finalized, we’re likely to see a range of technical controls and requirements for the Colorado Privacy Act. Managing that compliance with static documents such as word processing or GRC tools, or even in spreadsheets, can be difficult to handle. They just don’t give you the insight that a cybersecurity management framework platform like Apptega can.

With Apptega, you can manage all of the Colorado privacy controls, all from a single dashboard, with instant insight into how each control performs and where you have gaps that need mitigation before formal implementation or attestation.

Once these technical specifications are released, you may find that you already have some (or all) of them in place through other frameworks or compliance requirements that apply to your organization.

With Apptega, you can get complete visibility into all of your controls and sub-controls—across all of your frameworks—right in the dashboard. You’ll even receive mitigation recommendations and can connect quickly to find other tools and support for your CPA compliance journey in our CyberXchange Marketplace.

And, even better yet, if your organization does business in more than one state and you’re subject to multiple security and privacy mandates, you can manage all of those in the platform and use our Harmony tool to simply crosswalk as many frameworks as you need.

---

Is your organization following multiple cybersecurity and privacy compliance frameworks?

Check out our short video demo on Apptega’s Harmony feature, which allows organizations to crosswalk multiple cybersecurity and privacy frameworks to streamline program efficiency.