Colorado Privacy Act: The Basics
On July 1, 2023, the Colorado Privacy Act (CPA) takes effect. Businesses that collect information on Colorado consumers might find themselves with a host of compliance obligations with respect to personal data, including cookies or targeted advertisements towards potential customers. Under the CPA Colorado consumers have a host of rights, similar to the California Consumer Privacy Act, which will create additional challenges for businesses to which the CPA applies.
The CPA applies to companies (or “Controllers”), both non-profit and for-profit, that (i) target their goods or services to consumers within Colorado, and either (ii) handle the personal data of over 100,000 Colorado consumers (natural persons acting outside of the employment context), or (iii) derive revenue from the sale of personal data of more than 25,000 consumers. Notably, the CPA has no revenue threshold for applicability, which means local Colorado businesses with a substantial web presence could collect enough cookies to become subject to the CPA.
The definition of “personal data” covered by the CPA is broad: “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA also grants consumers rights in their data, including the right to confirm the business is processing their personal data, rights to delete, transport, or correct inaccuracies in that data, and the right to opt out of (1) targeted advertising, (2) sale of personal data, and (3) profiling with legally significant consequences. Controllers must update their privacy policies and give consumers a way to exercise their rights.
The CPA defines “targeted advertising”, as “displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from consumer’s activities across nonaffiliated websites applications, or online services to predict consumer’s preferences or interests”. This means that websites utilizing innovative advertising and retargeting may need to comply with the CPA and develop a streamlined mechanism to honor consumers’ opt outs. This is a unique right in U.S. privacy law that will likely incur significant development costs for web-based businesses.
The Colorado Attorney General just issued draft rules for the enforcement of the CPA, which we will cover in our next post. In the meantime, Colorado businesses should map the personal data they collect to determine whether the CPA might apply to them, draft privacy policies that comply with the CPA, obtain cyber insurance, and develop strategies for managing consumer consent, cookies, and sensitive data. Email me at codevilla@skandslegal.com for help!