Colorado Privacy Law: Requirements, Scope, and Impact on Companies

Overview

The Colorado Privacy Law is a recently enacted privacy law that went into effect on July 1, 2021. The law gives Colorado residents certain rights over their personal data and places certain obligations on businesses that collect and process that data.

Comparable to other state comprehensive privacy laws, the Colorado Privacy law copied aspects of CCPA to provide consumers with clear notices when personal information is collected, processed, and shared, and allows consumers to exercise specific data rights on the data they provide to organizations.

Requirements

Colorado’s Privacy Law has several requirements that organizations must comply with, including:

• Allowing consumers to correct inaccuracies in their personal information

• Providing consumers with access to their personal information

• Obtaining opt-in consent before collecting sensitive personal information

• Allowing consumers to opt-out of the sale of their personal information

• Implementing appropriate security measures to protect personal information

These requirements may look familiar; they’re similar in nature to those found in other privacy laws such as the CCPA or GDPR, but there are some differences in the specifics of the requirements provided to Colorado residents.

Scope

The Colorado Privacy Law applies to businesses that conduct business in Colorado or produce products or services that are targeted to Colorado residents and that meet certain thresholds, such as processing personal data of at least 100,000 consumers per year.

The Colorado Privacy Law covers personal data, which is defined broadly to include any information that is linked or linkable to an identified or identifiable person.

Consumer Rights:

The Colorado Privacy Law gives Colorado residents several rights over their personal data, including the right to access and correct their data, the right to opt-out of the sale of their data, and the right to request that their data be deleted.

Businesses must provide consumers with a means to exercise these rights, such as a web form or toll-free number.

Right to access personal data:

Consumers have the right to request that businesses disclose the personal data that they have collected about them.

This data has to be available in a portable format to be provided to the consumer. Organizations should ensure that if provided digitally, the data can be viewed without any errors between desktop and mobile devices. This is called the right to data portability.

Right to correct inaccuracies:

Consumers have the right to request that businesses correct any inaccuracies in their personal data.

Organizations have the ability to refuse correction of inaccurate data in certain circumstances. For example, a consumer cannot require an organization who received their credit score from a third party to change their credit score because they believe it’s inaccurate. The consumer must correct the information with the first party supplier of the data in that instance.

Right to deletion:

Consumers have the right to request that businesses delete their personal data, subject to certain exceptions.

Similar to the California Consumer Protection Act (CCPA), preceding law and contractual language can overrule a consumer deletion request, as long as the organization removes data from their systems when other legal obligations have been met, and include appropriate contractual language when data needs to be retained.

Right to opt out (sales):

Consumers have the right to opt-out of the sale of their personal data. Disclosures presented to the client at time of data collection should clearly indicate whether they will be opted into sales of their personal information by providing their data, and any abilities they have to modify that preference.

Organizations need to modify their technology to understand when data belongs to a CO resident, whether the consumer has received necessary disclosures, and whether they’ve provided an opt out preference at any point in time prior to any exchange of information that would constitute a sale (providing the data, but not activating on it is still selling.)

Right to opt-in (collection and processing):

Businesses must obtain opt-in consent from consumers before collecting and processing sensitive personal data, such as data relating to race, ethnicity, religion, health, sexual orientation, or biometric information.

This makes it undeniably clear that before receipt of this information, consumers need to be prompted with express consent prior to any exchange of data happening, and that there can be no circumstance in which consent to collect and process is inferred by the business for these data points.

Organizations who are impacted by this requirement need to catalog and review all points where they collect this type of data, and make sure the language and collection of consent is up to date with the new requirements. Additionally, they’ll need to store and apply the consent decisions to any processing activities occurring within their enterprise.

Why would someone need to also apply consent decisions downstream to processing activities if consent is required for collection AND processing?

A business may want to apply advanced logic to their technology systems in order to attempt collection of more consent for certain activities but not others. There are pros and cons to this method.

Advantages:

• Maybe you decide to have multiple consent options on lead forms where consumers can make multiple decisions to hopefully maximize the use of the data. The logic is that informed consumers may be comfortable with some processing and collection activity, but not others, so having areas to refine your choices may open up more data for certain processing activities, where a blanket consent may make consumers trend towards not opting in.

  • For example, a consumer decides to allow your business to collect the information, use it for processing in internal analytics and models, but not use it for processing analytics and models that go to third party clients.

  • Your business has an additional individual in data sets for internal processing analytics they may not have received if they had blanket consent, and the consumer was spooked by some activity prompting refusal to opt in.

Disadvantages:

• If you’re at the point where you have to build this type of logic into your data, you’ll soon realize it’s very complex to build this logic into legacy technology solutions at the enterprise level.

• Organizations need to have a privacy-first, committed proactive approach to their data activities or they will struggle to implement this effectively, creating a messy system that may be error-prone and not prioritized for improvements.

Right to non-discrimination:

Businesses cannot discriminate against consumers who exercise their privacy rights. Typically, we don’t see businesses attempting to discriminate against consumers for their privacy rights, but it can fester in ways unintentionally that expose you to risk.

For example…

A business decides to run a sweepstakes or content that provides a financial incentive (ex. $50 off) to the consumer if they partner with a third party the business is working with. The business hasn’t set up the contract with the third party as a valid joint marketing agreement under privacy law (requiring specific consent language, technology integrations between the two parties, etc.), so they can’t share the data of anyone who is opted out of sales, because they haven’t received the proper disclosure to bypass the consent decision. As a result, people who are opted out can’t receive the promotional value, and have been discriminated against for their privacy right.

Things can fall through the cracks when you have a lot of people involved, especially in partnerships with third parties. A business strategist or other individual at the company may realize that they’re not supposed to share data of opted out individuals because they took the annual training, and decide to filter the list of people who receive information about the promotional email, so those individuals never have the chance to modify their decision to prevent the discrimination from occurring.

We saw this example happen daily across multiple clients for years after privacy laws were introduced, and the concept of right to non-discrimination was introduced in Europe and California. It’s important for those involved in implementation of data privacy strategy to understand these hiccups that can occur in day-to-day business and account for them where possible proactively.

Compliance with the Colorado Privacy Law

The Colorado Privacy Law outlines a number of other requirements on organizations who need to comply with regards to management of their data. For example, organizations need to conduct Data Protection Assessments to identify the impact of changes to data activities and increase to consumer and organization risk. They also are responsible for maintaining appropriate security measures for safeguarding the data from unauthorized access.

Organizations that must already comply with other privacy laws such as the CCPA and GDPR will need to ensure that they are also complying with the Colorado Privacy Law. Compliance with the Colorado Privacy Law may require additional resources and efforts, but it can also provide benefits such as increased consumer trust and loyalty.

The Colorado Privacy Law is just one example of a state privacy law that businesses must comply with. The patchwork of state privacy laws places a burden on businesses to comply with a complex and ever-changing regulatory landscape. One solution to this challenge is for businesses to adopt a comprehensive privacy program that meets the requirements of all applicable privacy laws.

Need help working through the implementation of controls required to comply with this, or other privacy laws? Contact us today to find out how we can help you streamline your efforts.