• The Colorado Privacy Act applies to Controllers and Processors. An entity is considered a Controller if it (1) conducts business in Colorado; (2) intentionally targets Colorado consumers and (3) either

o Processes the Personal Data of 100,000 or more Colorado consumers; or

o Processes the Personal Data of 25,000 or more Colorado consumers and derives any profit or benefit for the sale of such Personal Data

• Any business or entity that processes Personal Data on behalf of a Controller is considered a Processor.

• There are numerous exceptions to the applicability of the Colorado Privacy Act in terms of both the types of entities and the types of data that is collected. For example, the Colorado Privacy Act does not apply to:

o Data maintained for employment records purposes

o Protected Health Information

o Patient Identifying Information

o Identifiable Private Information

o Information and documents created by an entity that is covered by HIPAA

o Information that is regulated by the FCRA

o Information that is regulated and covered by the GLBA

o Information that is regulated and covered by COPPA

• Additionally, the Colorado Privacy Act does not limit a Controller or Processors ability to

o Comply with applicable law or court orders

o Prepare for or investigate anticipated legal action or claims

o Conduct internal research to improve, repair, or develop products, services, or technology

o Identify and repair errors in a product, service, or technology

o Protect the vital interests of the consumer or another individual

o Respond to or protect against security incidents or other illegal activity

o Preserve the integrity or security of systems

o Process Personal Data for reasons of public health interest

o Assist others with the foregoing activities

• Under the Colorado Privacy Act, “Personal Data” does not include Deidentified Data. Because the Colorado Privacy Act only regulates the collection, use, retention, selling, and processing of Personal Data, Deidentified Data is not subject to the law.

• “Deidentified Data” includes any information that cannot be reasonably linked to, or be used to infer information about, a consumer or a specific device. A Controller that collects, retains, and/or processes Deidentified Data must:

o Take reasonable measures to maintain the information’s deidentified state (i.e., that it cannot be reasonably linked to a consumer);

o Publicly commits (i.e., places within the privacy policy) to maintain and use the information only in its deidentified state; and

o Enters into contracts with recipients of the Deidentified Data that requires such third parties to maintain its deidentified state.

• A Controller who discloses Deidentified Information Data must enter into a contract with the third party so the Controller can exercise reasonable oversight to ensure the information is kept in a deidentified or state.

• Additionally, the Colorado Privacy Act exempts Pseudonymous Data from being subject to a consumer’s individual rights related to the law so long as the Controller can demonstrate that information needed to identify the consumer is separately kept and subject to effective technical and organizational controls preventing the Controller’s access to the identifying information. “Pseudonymous Data” includes any information that cannot be attributed to a specific person without the use of additional information so long as the identifying information is separately stored and subject to effective technical organizational measures to ensure the identifying information is not combined with the Pseudonymous Data.

• Under the Colorado Privacy Act, a Controller must provide notice (likely in the form of a Privacy Policy) that is reasonably accessible, clear, and meaningful. Such notice must include the following information:

o Categories of Personal Data that is collected or processed;

o The purposes that the Personal Data is collected and processed for;

o How and where consumers may exercise their rights under the Colorado Privacy Act, including contact information and information on how a consumer can appeal denials or such requests;

o Categories of Personal Data that is shared with third parties;

o Categories of third parties that Personal Data is shared with; and

o If selling or processing Personal Data for profiling or targeted advertising purposes, the Controller must clearly and conspicuously disclose such sale and processing, as well as the manner in which a consumer may opt out.

• The Colorado Privacy Act provides the following individual rights to consumers:

o To opt out of the processing of Personal Data for the purposes of (i) targeted advertising; or (ii) profiling of the consumer in furtherance of decisions that produce legal, or similarly significant, effects on the consumer;

o To opt out of the sale of their Personal Data;

• Under an individual’s opt-out rights in relation to the sale of their Personal Data or target advertising, a Controller must provide a clear and conspicuous method for the individual to exercise that right. This means the right and method must be clearly and conspicuously posted in both the privacy policy and elsewhere (i.e., a dedicated, separate link). By 2024, Controller’s must implement a universal opt out option that allows an individual to exercise all of their opt out rights at the same time. However, regulations on such universal opt out are not promulgated yet.

• Once an individual has opted out, a Controller can obtain subsequent consent in order to override the opt out. That consent can be obtained through a web page, application, or other similar method so long as the individual is provided a clear and conspicuous notice that informs them of:

o The individual’s choices;

o The categories of Personal Data to be processed;

o The purposes for processing the Personal Data; and

o An explanation of how and where the consumer may withdraw consent in a way that is just as easy as it was to give consent (i.e., on the same web page).

• Opt In Consent

o Under the Colorado Privacy Act, Controller’s are prohibited from processing Sensitive Data without first obtaining the consumer’s consent.

• “Sensitive Data” includes:

o Personal data that reveals racial or ethnic origin, religion, mental or physical health, sex/sexual orientation, or citizenship status;

o Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; and

o Personal data from a known child.

• Under the Colorado Privacy Act, consumers have the right to opt out of both targeted advertising and profiling that results in decisions that produce legal, or similarly significant, effects on the consumer.

• “Targeted Advertising” includes any advertisement that is based on Personal Data obtained or inferred from the consumer activities across non-affiliated third party websites (i.e., not the Controller’s own website) or online services that predict consumer preferences. Target advertising does not include the following:

o Advertising based on consumer requests or feedback;

o Advertising based on activities within a Controller’s own website;

o Advertising based on the context of a consumer’s search inquiry, visit to a website or online application; or

o Processing of Personal Data solely to measure or report analytics.

• It is important to note here that cookies are likely Personal Data under the Colorado Privacy Act. Personal Data includes information that may be reasonably linked or linkable to an individual. Because cookies related to an individual’s online behavior and activity (even in an aggregated state), cookies are reasonably linked or linkable to an individual.

• “Decisions that produce legal, or similarly significant, effects” includes any decision resulting in the denial or provision of financial services, housing, insurance, educational opportunity, criminal justice, employment, health care services, or access to essential goods and services. Practically, this means that a Controller who is processing Personal Data in any way related to providing or denying someone the items or services listed, will need to provide consumers the ability to opt out of such processing.

• As described above, a Controller must post in the privacy policy or notice details and sufficient information to allow a consumer to exercise their rights by submitting a request(s). The method provided must take into account (1) the ways in which a consumer normally interacts with the Controller, (2) the need for secure and reliable communication relating to the request, and (3) the ability of the Controller to authenticate the identity of the consumer making the request.

o The Controller is prohibited from requiring a consumer to create a new account in order to exercise a right under the Colorado Privacy Act.

• The Colorado Privacy Act provides the following individual rights to consumers:

o To opt out of the processing of Personal Data for the purposes of (i) targeted advertising; or (ii) profiling of the consumer in furtherance of decisions that produce legal, or similarly significant, effects on the consumer;

o To opt out of the sale of their Personal Data;

o To access Personal Data collected about them;

o To correct inaccurate Personal Data collected about them;

o To delete Personal Data collected about them; and

o To data portability.

• Right to Correction

o An individual’s right to request a correction is limited to inaccuracies, taking into account the nature of the data and the purposes of the processing of the individual’s Personal Data.

• Right to Data Portability

o In connection with access, individuals have the right to obtain their data in a portable (and to the extent technically feasible) readily usable format to allow the individual the ability to transmit the data to another entity. The right to data portability is limited in that individual’s can only make such a request a maximum of two times per calendar year and such requests cannot include any data regarded as a trade secret.

• Controller Responses

o Under the Colorado Privacy Act, a Controller must respond, with some action being taken, to an individual request (i.e., for access) no later than with 45 days of receiving the request. That timeline can be reasonably extended another 45 days if the request is numerous and complex; so long as the individual is informed of such extension. Controllers are prohibited from charging an individual for their first request. However, Controller’s can charge a reasonable fee for a duplicate request that is within the same calendar year as the first request.

o Controller’s do not have to respond to individual requests if they are unable to authenticate the request after using commercially reasonable efforts to do so. Specifically, a Controller can request that the individual provide additional information that is reasonably needed to authenticate the request.

o Finally, Controllers must provide internal procedures and mechanisms allowing an individual to appeal a refusal to act within a reasonable period. The appeal procedures must be conspicuously available and as easy to use as the process for submitting requests in the first place. Such procedures must include an explanation of the individual’s right to contact the Colorado Attorney General if they have concerns.

• A Controller is prohibited from processing (or directing a Processor to process) Personal Data in a way that presents a higher risk of harm to an individual without first conducting and documenting a Data Protection Assessment. High risk processing includes

o Targeted advertising or profiling that presents a reasonably foreseeable risk of:

 Financial harm,

 Unfair or deceptive treatment,

 Intrusion on the solitude or seclusion of private affairs (reasonable person standard), or

 Other substantial injury to consumer;

o The sale of Personal Data; or

o Any processing that involves Sensitive Data.

• The Colorado Privacy act also sets forth what such Data Protection Assessments must consist of. The Data Protection Assessments must identify and weigh the benefits of the processing against the potential risks that exist to the individual rights over the Personal Data. The Assessment should also factor in the existence or possibility of safeguards that mitigate the risks. Finally, the Assessment must factor in the possibility (or impracticality) of using de-identified data and what the individual’s reasonable expectations are based on the direct relationship with the Controller.

• The Data Protection Assessment must be made available to the Colorado Attorney General as so requested. Separate Assessments covering individual processing activities are not necessary. A single Assessment can be used to cover multiple, similar processing activities.

• Data mapping is the process by which Controllers connect the data of one model, server, or silo, with the information in another or multiple models, servers, or silos. There is no specific requirement for a Controller to conduct data mapping.

• However, practically, Controllers within the scope of the Colorado Privacy Act will need to conduct some form of data mapping in order to comply with various requirements under the law. For example, if a consumer requests the specific Personal Data that is collected about them and exercises their rights to access and data portability, a Controller will need to know exactly what they have collected about that consumer and where that information is. A Controller will not practically be able to do that without data mapping.

• Another example of where data mapping is practically required is if a Controller conducts Data Protection Assessment. To properly weigh the benefits and risks of information collection and processing, a Controller must know exactly how much information they are collecting and exactly where that information is stored and/or processed. Without data mapping, that task becomes extremely difficult.

• Under the Colorado Privacy Act, Controllers can only retain Personal Data if such data is adequate, relevant, and limited to only what is necessary for the purposes specified to the individual in the privacy policy.

• Closely related to a Controller’s data minimization obligation, a Controller is prohibited from processing Personal Data for purposes outside of what is reasonably necessary for the purposes specified to the individual in the privacy policy. Processing and use of Personal Data outside of those within a privacy policy is only allowed if the Controller obtains consent from all affected individuals.

• In sum, if a Controller’s use of the Personal Data is not compatible with the expressed purposes and descriptions in the privacy policy, that Controller is in violation of the Colorado Privacy Act.

• Under the Colorado Privacy Act, Controller’s and Processor’s must enter into specific written contracts in order to comply with the law. Specifically, the contract between a Controller and Processor must contemplate and provide for:

o Processing instructions binding on the Processor, including the provisions that identify the nature and purpose of the processing;

o the Personal Data subject to the processing as well as the duration of the processing;

o Standard confidentiality requirements;

o Provisions that require subcontractor to be bound by the same or higher obligations and standards;

o Appropriate security measures that must be implemented and maintained;

o Provisions that allow the Controller to decide whether to have the Personal Data deleted or returned at the end of the Contract;

o A requirement that the Processor provide all documentation necessary to show compliance with the law and the contract to the Controller; and

o Audit and review obligations that allow the Controller (or a qualified independent third party) to ensure the Processor’s compliance with the Colorado Privacy Act and the contract, and that require the Processor to contribute to such audits or reviews.

• Under the Colorado Privacy Act, individuals have the right to opt out of the sale of their Personal Data. An action or disclosure is considered a “sale” if the Controller is exchanging Personal Data for monetary or other valuable consideration.

• An action or disclosure is not considered a “sale” if the Controller is disclosing Personal Data to:

o A Processor that processes the Personal Data on behalf of the Controller;

o A third party for purposes of providing a product or service request by the individual;

o To the Controller’s affiliate(s); or

o To a third party as an asset that is part of a merger, acquisition, etc.

• Under the Colorado Privacy Act, a Processor includes any entity that processes Personal Data on behalf of a Controller. A Processor’s main obligation under the Colorado Privacy Act is to reasonably assist the Controller comply with their obligations and to adhere to the Controller’s instructions. Specifically, a Processor must:

o Adopt “appropriate technical and organizational measures” to help the Controller respond to individual requests;

o Provide the Controller assistance with data breach notifications; and

o Assist and enable the Controller to conduct and document any Data Protection Assessments that might be required.

• Outside of the direct relationship with the Controller, a Processor must:

o Ensure that all employees and contractors who are involved in processing the Personal Data are subject to a duty of confidentiality;

o Only engage contractors if the Controller has prior consent and approval rights, and only if such contractors are bound to the same obligations as the Processor;

o Implement and maintain appropriate technical and organizational measures that ensure a level of security appropriate to the risk; and

o Execute a contract with the Controller that governs the processing activities.

• In relation to the appropriate technical and organizational security measures the Processor must implement and maintain, such measures must take into account the context of the processing and establish a clear allocation of responsibilities between the Processor and Controller.

• Under the Colorado Privacy Act, a Controller must take reasonable measures to secure Personal Data, during both storage and use, from unauthorized acquisition. Such security measures must be appropriate to the nature of the business, volume, scope, and nature of the Personal Data that is processed.

• There is no private right of action under the Colorado Privacy Act. Under the Colorado Privacy Act, the Colorado Attorney General and district attorneys have exclusive authority to enforce the law’s requirements. Additionally, a violation of the Colorado Privacy Act is considered a violation of Colorado’s deceptive trade practice law, making such violations subject to numerous penalties and enforcement possibilities.

• If an entity can possibly cure their violation of the Colorado Privacy Act, the Attorney General or district attorney must issue a notice providing such entity 60 days to cure the violation. If the violation is not cured within 60 days, legal action can be taken. However, it is important to note that the 60 day cure period sunsets in 2025, meaning that beginning in 2025, entity’s will not be afforded notice and the possibility to cure a violation prior to suffering legal consequences.