This summer, Colorado passed the newest privacy law in the United States—the Colorado Privacy Act (CPA). With its passage, Colorado joined Virginia and California in creating legislation around privacy and data protections for users (in this case, Colorado residents). And, if you have any users in Colorado who use or visit your site, you will be affected.
The CPA will go into effect July 1, 2023, which doesn’t leave much time to come into full compliance with the various requirements of the law. However, don’t worry: I’ll walk you through what you need to know in order to come into compliance. That way, once you understand what the law requires of you, you’ll be able to take the steps necessary to get prepared before the law takes effect.
Overview of the CPA
The CPA uses a controller/processor model; in essence, this model lays out requirements for how data controllers (any party responsible for determining what personal data is collected) and processors (any party that processes that information) can collect and use personal data.
Because the CPA focuses so heavily on personal data, it helps to know exactly how it’s defined within the law. Personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information, however.
If someone accuses an organization of failing to comply with any part of the CPA, they can bring an action against them. If this happens, the organization has 60 days to cure the violation. If the company addresses the concern within this cure period, the Attorney General or District Attorney may not bring the full action against them. If, however, they are found guilty of a violation, it’s considered a deceptive trade practice, and they may be fined up to $20,000 per violation.
The only caveat to this is that the cure period sunsets after two years. So, after July 1, 2025, there will be no cure period—if you violate the law in some way, an action can immediately be brought against you.
General Rights Granted by the CPA
The CPA grants Colorado residents five general rights. First, it gives users the right of access. In essence, this is the right to confirm whether a controller is processing personal data concerning the consumer and the right to access personal data collected about them.
Under the CPA, users also have the right to correct any inaccuracies in their personal data. They also have the right to delete personal data that concerns them, whether they’ve provided it or the company obtains it another way. In other words, if you purchase third-party data and supplement your datasets with that information, then when a deletion request comes in, any information you have that’s linked with that individual must be deleted.
The CPA gives users the right to obtain a copy of their personal data in a portable, readily usable format. Finally, it also gives them the right to opt out of the processing of their personal data specifically for a few different purposes, including targeted advertising, selling their personal data, or profiling in the furtherance of decisions that produce significant effects concerning them.
The right to opt out of targeted advertising is a big change—one that will affect many marketers and advertisers. So, let’s take a closer look at it.
Targeted Advertising Restrictions Under the CPA
The CPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
Notably, targeted advertising does not include advertisements based on activities within a controller’s own websites or online applications; ads based on the context of a consumer’s current search query, visit to a website, or online application; ads directed to a consumer in response to their request for feedback or information; or personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
The CPA requires you (the controller) to provide consumers the right to opt out of such things as targeted advertising. You must also offer a universal opt-out option so a consumer can click one button and exercise all opt-out rights.
As you can see, by including the provision about targeted advertising, the CPA expands what users are able to opt out of. With the universal opt-out option, it also makes it far easier for users to opt out of much of how their data is processed and used. And here’s where things really start to potentially affect you: combined, those two provisions present a large risk to some of the activities your organization may currently be engaging in with regards to user data.
Operational Impacts of the CPA
With all the rights the CPA grants consumers, you’re probably wondering exactly what your duties are in terms of maintaining those rights, and how you can remain compliant with the law while still executing your marketing and advertising strategies. Those are good questions, so let’s jump right in.
First, you must be transparent about what data you’re collecting and the specific purposes for which it’s being collected and processed. You must also limit the collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purposes you’ve disclosed about why the data is processed. And that means you need to have a strategic use for the data before you collect it.
The CPA also restricts your ability to use data you’ve already collected for a new, undisclosed use. In other words, you can’t repurpose data. If you have a new activity that you need personal data for, you need to disclose that activity to your users (so it’s transparent and, if applicable, they have the opportunity to opt out), and then create an entirely new dataset.
You’re also required to take security precautions when it comes to storing and using data. The CPA requires that these security measures be “appropriate to the volume, scope, and nature of the personal data processed,” as well.
Finally, you are prohibited from discriminating against a user who chooses to exercise their rights to opt out. And, if you are asking users for sensitive personal data (their race, sexual orientation, precise location, and so on), they must affirmatively opt in before you can legally collect that data.
Data Protection Assessment Requirements
There’s one more important thing you need to know to remain compliant with the CPA: you may not conduct processing activities that “present a heightened risk of harm to a consumer, without conducting and documenting a data protection assessment of each processing activity.”
Under the CPA, activities that present a heightened risk of harm include selling personal data, processing sensitive data, processing personal data for purposes of target advertising, or for processing personal data for the purpose of profiling (if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury to consumers, or other substantial injury).
Your data processing assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing of the personal data against the potential risks to the rights of the consumer associated with the processing. And, of course, you must mitigate these risks as much as possible.
At its core, the data protection assessment requires you to weigh the benefits of the activity against the risk to the consumer. This piece is critical, and in fact, if an action is brought against you, the Attorney General or District Attorney can request your assessment as part of the investigation.
Create Your Privacy Best Practices Now
As you can see, the CPA ushers in some key differences between consumer privacy rights now versus their rights in the future. If you operate in Colorado or have users in Colorado, you need to start ramping up now to ensure you’re compliant when the law goes into effect in the summer of 2023. Otherwise, you may be at risk of steep penalties.
The CPA codifies privacy best practices, from being strategic and purposeful around what data you collect and how you use it, to making sure you disclose your purposes to users and give them the option to opt-out of various uses of their personal data. But, now that you understand the major points of the law, you can start taking steps to create processes around those best processes, so you’re fully prepared when it goes into effect.
