Beginning on July 1, Colorado employers who collect and store significant amounts of personal data on customers must allow those individuals to review, correct and delete that data and must get permission from them if they want to sell any of their information.
Controllers of the data for these companies also must undertake significant data-protection assessments to ensure not only that the information is safe from hackers but that the information is necessary for company operations. Those who fail to comply with the newly enacted Colorado Privacy Act could face penalties that reach as high as $20,000 per violation.
The new regulations stem from a law passed with overwhelming bipartisan backing in 2021 and aimed at ensuring that consumers can control the amount of personal data that is available on them. Colorado is just the third state to enact such a law, following similar statutes in California and Virginia, but its rules are in some cases more strenuous than those of other states, which has generated national attention on the local efforts.
“Some companies will be in better positions than others,” said Lindsey Tonsager, co-chair of the global privacy and cybersecurity practice at Covington & Burling LLP, noting that national and international firms are likely prepped by existing California and European regulations. “But for mid-sized Colorado businesses and even small-sized Colorado businesses that just eke over the threshold limits for data, they have some work to do.”
How the Colorado Privacy Act works
The new rules apply to any company either conducting business in Colorado or targeting products or services to Colorado that controls and processes the data of at least 100,000 consumers annually or sells the personal data of at least 25,000 consumers.
Arguably the most important feature of the Colorado Privacy Act is its creation of new personal data rights for consumers — the rights of access, correction, deletion and data portability. Beginning Saturday, consumers can contact any company that has personal data on them, ask to see all the data it’s collected, correct inaccuracies, demand data be deleted and demand it be given to them in a commonly used electronic format if the consumer wants to transfer it to another company.
The new law also requires that companies receive explicit consumer consent to process sensitive data that’s used to indicate things such as an individual’s race or sexual orientation, to sell a consumer’s personal data or to process it for targeted advertising. Controllers of information gathered before July 1 must go back and get consent from consumers to do these things if they have not gotten it already, and those who get consent to use data for one purpose (like providing them targeted offers) must get new consent if they seek to use it in a second way (such as selling information to data brokers).
Colorado’s law includes some provisions not found in other states, particularly around purpose specification and data minimization. Controllers of personal data must specify for consumers the express reason for collecting and processing data, and they also must determine the minimum amount of personal data necessary for those express purposes and set time limits on how long they need to keep it.
The law also allows consumers to employ a universal opt-out mechanism signaling to any website that they may visit that they do not consent to the processing of their personal data for purposes of targeted advertising or sale. However, several groups watching the process have noted that no one has developed such a universal opt-out mechanism yet and that it will be interesting to see how the Colorado Attorney General’s Office enforces that clause when such offerings become available.
In addition, the Colorado Privacy Act requires that controllers of personal data conduct data-protection assessments to determine vulnerability and risks around the data they hold. This comes at a time when numerous companies have suffered data breaches.
Two sides to data-privacy assessments
These assessments, Tonsager explained, can help companies that have not had to comply with similar laws to put together a data inventory and identify privacy risks, but they will also require significant work to undertake. Her firm represented companies put together by the Colorado Chamber of Commerce across several industries in reviewing regulations and helping them understand how to comply with the law.
“At the same time, they are very much a paperwork exercise where it can be a real burden to a company — with an unclear benefit to consumers,” she said.
The law carves out exemptions, some of which came through a rulemaking process participants characterized as particularly robust and open-minded on the part of the AG’s office.
For example, regulations bar websites from denying access to users just because they fail to consent to the site processing and selling their personal data. However, the rules permit companies like stores and restaurants to bar consumers from their loyalty programs and the potential benefits they can accrue through them if the consumer demands that personal data required to be a part of the program be deleted.
Enforcement will be phased in. Until 2025, controllers notified by the AG’s office of violations will have 60 days to cure them before they are assessed with civil penalties that can reach as high as $20,000 per violation, said Alexandra Scott, a senior associate with Covington’s global privacy and cybersecurity practice. There is no private right of action.
Companies affected by the law are waiting to see exactly how the new rules will play out, particularly in Colorado-specific areas like limits on uses of secondary data, said Roberta Robinette, Colorado president of external affairs for AT&T. The simplest way to ensure privacy protections would be a federal approach, but that doesn’t seem to be on the horizon, she said.
Impact of Colorado Privacy Act
“Regulating interstate communications state-by-state does complicate compliance and results in a patchwork approach that introduces additional complexities,” Robinette said in an interview. “While Colorado’s law does not venture far from other state privacy laws passed in recent years, the biggest concern of companies operating in Colorado is the uncertainty of how the law will be enforced.”
SB 21-190, sponsored by Republican Sen. Paul Lundeen of Monument and Democratic Sen. Robert Rodriguez of Denver, received only seven “no” votes as it passed through the Legislature in 2021 — a far more bipartisan outcome than many bills found in the 2023 session — and it comes as part of a wave of new consumer protections that has popular support. But to implement it, businesses must be prepared to know which records they have, know how they can produce and delete them for customers and consider how they may be able to operate with less data.
“Corporations are going to have to have a real firm understanding of what data they have and how they process it,” Scott added.