If you’ve been following along, you probably noticed a lot of similarities between VCDPA and CTDPA. The next state data privacy law we’re going to look at, the Colorado Privacy Act (CPA), completes our trio of closely aligned laws coming into effect this year. Each has their own unique quirks, but they find a lot of common ground. CPA comes into effect on July 1st, and will have a 60 day cure notice that will remain in effect until January 1st, 2025.
Much like the other state laws we’ve looked at for 2023, CPA codifies the right to know, right to rectification, right to portability, right to deletion, right to opt-out of sale, and the right to opt-out of target advertising. One of the unique features of CPA is the requirement to establish and provide an internal appeal process if you choose to deny a consumer’s request to exercise any of the previously mentioned rights. Additionally, CPA requires you to inform the consumer of their right to contact the Colorado Attorney General if after the appeal process they have concerns about the result of the appeal. The Colorado Privacy Act sets a limit to the number of times a consumer may request to exercise their right to data portability in a calendar year. While any entity subject to CPA must provide a consumer with their personal data in a portable format at the request of the consumer, they may only exercise that right twice per calendar year.
One question many data controllers likely have about CPA is do they have to store or maintain personal data in a way that can be associated with a consumer if they request to exercise one of the above mentioned data rights? The answer to that is no, if the data you process is de-identified or unreasonably burdensome to associate with an authenticated consumer request you do not have to set up a process to maintain data in order to associate personal data with an authenticated consumer request. From a consumer privacy perspective this is likely a more ideal scenario anyway.
Additionally, the CPA requires data controllers that process data for the purposes of profiling, processing sensitive data, targeted advertising, or selling personal information conduct a data protection assessment for each of these processing activities. These data protection assessments only apply to processes generated or created on or after the effective date of July 1st, 2023. A single data protection assessment can address similar data processing activities. Controllers will have an obligation to provide data protection assessments to the Colorado Attorney General upon request, though they will remain exempt from public review and Colorado Open Records Act requests.