By Tyler Rauert
When did The Colorado Privacy Act take effect?
July 1, 2023.
Who Does the Colorado Privacy Act Apply To?
The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:
- Process the personal data of more than 100,000 individuals in any calendar year; or
- Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.
How Will Companies Be Notified of Non-Compliance?
The Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025. However, it is important to note that if the Attorney General or District Attorney determines that no fix is possible for the violation, no such letter is required.
What are the Penalties for Non-Compliance
Penalties and fines will be allocated per the Colorado Consumer Protection Act, which means that fines per violation can range from $2,000 to $20,000 and may also result in criminal charges.
What is Unique About Colorado’s Privacy Act?
While Colorado’s Act is similar to the better-known California Privacy Rights Act and the Virginia Consumer Data Protection Act, our state’s law has three unique characteristics worthy of note.
- Active Attorney-General Enforcement
Colorado’s privacy law will be the first to be backed by a full set of regulations created by the state’s attorney general, creating a heightened enforcement environment. Unlike other states where regulators asked to enforce a vaguely worded legislative mandate, Colorado’s attorney general will know exactly what is required because his office wrote the rules. As such, businesses in Colorado can expect a more active enforcement regime than other states. While the attorney general has made it clear that his office will focus on businesses “willfully” violating the law in its first round of enforcement notices, fines of up to $20,000 fine per violation should sharpen focus on compliance.
- Restrictions Around Inferring Sensitive Data
Another unique aspect of Colorado’s privacy law is that it is the first in the U.S. to set standards for automated decision-making and a new category of “sensitive data inferences,” which are subject to tightened restrictions on the collection, creation and use of some personal data. This includes situations in which companies can infer the health needs of individuals who have shared their browsing history or the religious beliefs of someone who disclosed certain dietary restrictions. The concept of “sensitive data” is known to those familiar with European privacy jurisprudence, but outside of healthcare, this is a somewhat novel concept on the American privacy landscape.
- Nonprofits are Not Off the Hook
Colorado’s privacy law is also unique in that, unlike other states, it applies to for-profit and not-for-profit entities. Nonprofits don’t generally think of themselves as businesses and have not been required to make changes for California’s or any other state’s privacy laws. Many will likely be surprised that the Colorado Privacy Act applies to them.
Click here to read Part 4 of our series to learn what you need to do now to comply with the new law. If you’d like additional help or counsel around how to plan and execute your company’s privacy compliance action plan, please contact Fortis’ data privacy expert, Tyler Rauert.