September 2024

1. Governing Texts

The Colorado State Governor signed, on July 7, 2021, Senate Bill (SB) 21-190 for an Act concerning additional protection of data relating to personal privacy, otherwise known as the Colorado Privacy Act (CPA), which was re-passed, on June 8, 2021, by the Colorado Senate following their consideration of amendments made to the CPA by the Colorado House of Representatives. The CPA was also amended on May 31, 2024, after signature by the Governor of:

• SB 24-041 on Privacy Protections for Children's Online Data, effective from October 1, 2025; and
• House Bill (HB) 24-1130 for An Act concerning protecting the privacy of individual's biological data, and, in connection therewith protecting the privacy of neural data and expanding the scope of the CPA accordingly.

The Colorado Privacy Act Rules (CPA Rules) were published by the Attorney General (AG) on March 15, 2023.

Please note that the CPA and the CPA Rules came into force on July 1, 2023.

1.1. Key acts, regulations, directives, bills

• the CPA; and
• the CPA Rules.

1.2. Guidelines

The AG has published a Frequently Asked Questions & General Information section on its CPA Portal.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CPA applies to controllers that conduct business, produce, or deliver commercial products or services that are intentionally targeted to Colorado residents and that satisfy one or both of the following thresholds, namely: (§6-1-1304(1) of the CPA):

• control or process personal data of 100,000 consumers or more per calendar year; or
• derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.

2.2. Territorial scope

The CPA applies to controllers that conduct business or produce or deliver commercial products or services that are intentionally targeted to Colorado residents (§6-1-1304(1) of the CPA).

2.3. Material scope

The CPA applies to personal data which is defined as information that is linked or reasonably linkable to an identified or identifiable individual (§6-1-1303(17)(a) of the CPA).

The CPA outlines that certain data is exempt from its scope, including (§6-1-1304(2) of the CPA):

• protected health information under Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• health records;
• patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act;
• personal data used or shared in research in accordance with the requirements of the CPA, or other research conducted in accordance with other laws;
• the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act of 1970 (FCRA);
• personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA);
• personal data collected, processed, sold, or disclosed under the Driver's Privacy Protection Act of 1994;
• personal data regulated by the Children's Online Privacy Protection Act of 1998 (COPPA); or
• personal data regulated by the Family Educational Rights and Privacy Act 1974 (FERPA).

Furthermore, §6-1-1304(3)(d) and (e) provide that the CPA does not apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech or the processing of personal data by an individual for household or personal activities.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator within Colorado.

3.2. Main powers, duties and responsibilities

The CPA provides that the AG and/or District Attorney (DA) have the power to enforce the CPA (§6-1-1311 of the CPA).

Moreover, the CPA notes that the AG may promulgate rules for the purposes of establishing an opt-out mechanism and is required to do so by July 1, 2023. Please note that from July 1, 2024, data controllers are required to allow consumers to exercise their right to opt-out where their personal data is processed for the purposes of targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism that meets the technical specifications established by the AG (§6-1-1306(1)(a)(3)(b) of the CPA).

In addition, the CPA outlines that by January 1, 2025, the AG may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA. The rules must become effective by July 1, 2025 (§6-1-1311(1)(d) of the CPA).

Furthermore, as per §6-1-107 of the CPA, when the AG or a DA has reasonable cause to believe that any person, whether in Colorado or elsewhere, has engaged in or is engaging in any deceptive trade practice, the AG or DA has the power to issue:

• subpoenas (§6-1-108 of the CPA); or
• restraining orders or injunctions (§6-1-110 of the CPA).

4. Key Definitions 

Data controller: A person who, alone or jointly with others, determines the purposes for and means of processing personal data (§6-1-1303(7) of the CPA).

Data processor: A person who processes personal data on behalf of a controller (§6-1-1303(19) of the CPA).

Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.as used in (§6-1-1303(17)(a) of the CPA).

In addition, publicly available information means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public (§6-1-1303(17)(b) of the CPA).

Sensitive data: Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child (§6-1-1303(24) of the CPA).

Health data: The CPA defines 'health-care information' as individually identifiable information relating to the past, present, or future health status of an individual (§6-1-1303(13) of the CPA).

Human Involved Automated Processing: the automated processing of Personal Data where a human reviews the automated processing, but the level of human engagement does not rise to the level required for Human Involved Automated Processing. Reviewing the output of the automated processing with no meaningful consideration does not rise to the level of Human Involved Automated Processing (CPA Rules).

Biometric data: Not applicable.

Pseudonymization: The CPA defines 'pseudonymous data' as personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual (§6-1-1303(22) of the CPA).

Data subject: The CPA does not provide a definition for 'data subject' but instead refers to 'consumers,' which are defined as individuals who are Colorado residents acting only in an individual or household context and does not include an individual acting in a commercial or employment context as a job applicant, or as a beneficiary or someone acting in an employment context (§6-1-1303(6) of the CPA).

5. Legal Bases

The CPA states that personal data processed by a controller pursuant to an exception shall not be processed for any purpose other than a purpose expressly listed in the CPA and shall be processed to the extent that such processing is necessary, reasonable, and proportionate to the specific purpose(s) listed or authorized by the CPA (§6-1-1304(4) of the CPA).

Moreover, if a controller processes personal data pursuant to an exemption, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the abovementioned requirements (§6-1-1304(5) of the CPA).

5.1. Consent

The CPA defines 'consent' as a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent (§6-1-1303(5) of the CPA, Rule 7.03 of the CPA Rules):

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
• hovering over, muting, pausing, or closing a given piece of content; and
• agreement obtained through dark patterns.

Importantly, the CPA Rules specify that consent is not freely given when it reflects acceptance of general terms of use or a similar document that contains descriptions of personal data processing, along with other unrelated information (Rule 7.03(C)(2)(a) of the CPA Rules). Additionally, after stating that consent must be specific, the CPA Rules clarify that controllers may request consent to process personal data for multiple processing purposes that are not reasonably necessary to, or compatible with, one another using a single consent request as long there is also an option for more granular consent within the same consent interface (Rule 7.03(D)(1)(a) of the CPA Rules). Furthermore, another clarification is provided by the CPA Rules with respect to the element of specificity of consent, whereby it is provided that consent to process personal data for one specific purpose does not constitute valid consent to process personal data for other purposes that are not reasonably necessary to, or compatible with, that specific purpose (Rule 7.03(D)(2) of the CPA Rules).

Uniquely, the CPA Rules establish the rules on consent refresh and introduce the provision that when a consumer has not interacted with a controller in the prior 24 months, the controller must refresh consent to continue processing sensitive data, or to continue processing personal data for a secondary use, if the secondary use involves profiling for a decision in a variety of specified cases. It is determined that controllers are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface (Rule 7.08 of the CPA Rules).

Part 7 of the CPA Rules clarifies the requirements to obtain consent under the CPA, including the prohibition of using dark patterns (Rule 7.01, Rule 7.03(F) of the CPA Rules). Specifically, the rules require a controller to gain consent prior to processing sensitive data, data of a known child, for a purpose different from the original purpose data was gathered, or for targeted advertising after a consumer has opted out of the sale (rule 7.02 of the CPA Rules). The CPA rules state that controllers may rely on consent gained before July 1, 2023, to continue to process data (Rule 7.02(B) of the CPA Rules).

The CPA Rules also specify that a controller must provide, at minimum, the following information to the consumer (Rule 7.03(E) of the CPA Rules):

• the controller's identity;
• the plain-language reason consent is required;
• processing purpose(s);
• categories of personal data;
• names of all third parties receiving sensitive data (if applicable);
• description of the consumer's right to withdraw consent at any time; and
• any other disclosures as required.

Additional obligations outlined in the CPA Rules include:

• form requirements for controller's requests for consent (Rule 7.04 of the CPA Rules);
• processing of consent after a consumer opts out (Rule 7.05 of the CPA Rules);
• processing of consent for children (Rule 7.06 of the CPA Rules);
• refusing or withdrawing consent (Rule 7.07 of the CPA Rules);
• refreshing consent (Rule 7.08 of the CPA Rules); and
• designing a user interface, choice architecture, and dark patterns (Rule 7.09 of the CPA Rules).

5.2. Contract with the data subject

The obligations imposed under the CPA do not restrict a controller or processor's ability to identify and repair technical errors that impair existing or intended functionality or perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller (§§6-1-1304(3)(a)(VI) and (VII) of the CPA. Additionally, the CPA provides a product or service specifically requested by a consumer or the parent or guardian of a child, performs a contract to which the consumer is a party, or takes steps at the request of the consumer prior to entering into a contract (§6-1-1304(3)(a)(VIII) of the CPA).

5.3. Legal obligations

The obligations imposed under the CPA do not restrict a controller or processor's ability to (§6-1-1304(3)(a)(I) to (III) of the CPA):

• comply with federal, state, or local laws, rules, or regulations;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law; or
• investigate, exercise, prepare for, or defend actual or anticipated legal claims.

5.4. Interests of the data subject

The CPA provides that nothing within its provisions may restrict the ability of controllers or processors to protect the vital interests of the consumer or another individual (§6-1-1304(3)(a)(IX), of the CPA).

5.5. Public interest

The CPA provides that the obligations imposed on controllers or processors do not restrict their ability to process personal data for reasons of public interest in the area of public health but solely to the extent that the processing (§6-1-1304(3)(a)(XI) of the CPA):

• is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
• is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

5.6. Legitimate interests of the data controller

While the CPA does not expressly address the processing of data for the legitimate interest of the controller, it indirectly provides that the CPA's obligations on controllers and processors do not restrict their ability to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action (§6-1-1304(3)(a)(X) of the CPA).

The CPA also states that it does not restrict the ability of controllers and processors to conduct internal research to improve, repair, or develop products, services, or technology (§6-1-1304(3)(a)(V) of the CPA).

5.7. Legal bases in other instances

The obligations imposed on controllers or processors under the CPA do not apply where §6-1-1304(3)(b) - (d) of the CPA:

• compliance would violate an evidentiary privilege under Colorado law;
• prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication; or
• apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law.

6. Principles

The CPA outlines data protection principles, including the following (§6-1-1308 (1) - (7) of the CPA):

• Duty of transparency: providing consumers with a reasonably clear, accessible, and meaningful privacy notice;
• Duty of purpose specification: specifying the express purposes for which personal data will be collected and processed;
• Duty of data minimization: collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
• Duty to avoid secondary use: not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
• Duty of care: taking reasonable measures to secure personal data both in storage and authorization acquisition; and
• Duty to avoid unlawful discrimination: not to process personal data, which violates laws that prohibit unlawful discrimination against consumers.

In addition, the CPA requires data controllers to adhere to the following obligations (§6-1-1308(2)-(7) of the CPA):

• collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
• not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
• taking reasonable measures to secure personal data;
• not to process personal data which violates laws that prohibit unlawful discrimination against consumers; and
• not to process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

Purpose specification

The final version of the CPA Rules reiterates that controllers must specify the express purposes for which each category of personal data is collected and processed in both external disclosures and internal documentation. Compared to the previous draft of the CPA Rules, the final version specifies that the express purpose must be described in a level of detail that gives consumers a meaningful understanding of how each category of their personal data is used and notes that controllers should not specify so many purposes for which personal data could potentially be processed, such as potential future processing activities, that the purpose becomes unclear or uninformative (Rule 6.06 of the CPA Rules).

Data minimization

Similar to the previous draft rules, the CPA Rules mandate that controllers determine the minimum personal data that is necessary, adequate, or relevant for each processing purpose and document such assessment to ensure that only personal data that is reasonably necessary for the relevant purpose is collected (Rule 6.07(A) of the CPA Rules).

In any case, personal data should only be kept in a form that allows the identification of consumers for as long as is necessary for express processing purposes. To ensure compliance with the data minimization obligation, controllers shall set specific time limits to erasure or to conduct a periodic review of the personal data retained (Rule 6.07(B) of the CPA Rules). The Rules also state that a controller shall not collect more personal data than is disclosed in its required privacy notice, and if additional data is collected, the privacy notice should be revised in addition to notification to consumers (Rule 6.07(C) of the CPA Rules). Compared to the draft CPA Rules, their version further adds that sensitive data for which controllers no longer have consent to process should be deleted or otherwise rendered permanently anonymized or inaccessible within a reasonable period after the withdrawal of consent.

Secondary use

In terms of provisions on secondary use, the CPA Rules do not feature any major substantive change from the draft version. As such, the CPA Rules state that in case of processing of personal data for purposes that are not reasonably necessary to, or compatible with, the purpose(s) disclosed to consumers before the time the personal data is collected from the same, the controller must obtain the consent of the consumer (Rules 6.08(A) and 6.08(B) of the CPA Rules).

In addition to the previous draft version of the CPA Rules is the provision that, when carrying out the reasonable necessity or compatibility assessment, the controller may consider various factors, such as the reasonable expectation of an average consumer concerning how their personal data would be processed once it was collected (Rule 6.08(C) of the CPA Rules). On this point, the draft CPA Rules specifically required the controllers to consider these factors.

Duty of care

Provisions on the duty of care exhibit major innovations and additions when compared to those of the draft CPA Rules. The CPA Rules provide that personal data must be processed in a manner that ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of personal data collected, stored, and processed. The CPA Rules further add that controllers should consider various factors when determining the reasonable and appropriate safeguards, and that such reasonable and appropriate administrative, technical, organizational, and physical safeguards must be designed to (Rule 6.09 of the CPA Rules):

• protect against unauthorized or unlawful access to, or use of, personal data and the equipment used for the processing and against accidental loss, destruction, or damage;
• ensure the confidentiality, integrity, and availability of personal data collected, stored, and processed;
• identify and protect against reasonably anticipated threats to security or the integrity of information; and
• oversee compliance with data security policies by the controller and processors through reasonable requirements.

7. Controller and Processor Obligations

De-identified data

When processing de-identified data, the CPA does not require a controller or processor to do any of the following solely for purposes of complying with the CPA (§6-1-1307(1) of the CPA):

• reidentify de-identified data;
• comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to §6-1-1306(1) of the CPA if all of the following are true:
  • the controller is not reasonably capable of associating the request with the personal data; or
  • it would be unreasonably burdensome for the controller to associate the request with the personal data;
  • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
  • the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or
  • maintain data in an identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.

The CPA also states that a controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with contractual commitments and take appropriate steps to address any breaches or contractual commitments (§6-1-1306(2) of the CPA. The rights outlined in §6-1-1306(1)(b) to §6-1-1306(1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information (§6-1-1307(2) of the CPA).

7.1. Data processing notification

Not applicable.

7.2. Data transfers

The CPA does not address the transfer of personal data. Instead, the CPA defines 'sale,' 'sell,' or 'sold' as the exchange of personal data for monetary or other valuable consideration by a controller to a third party (§6-1-1303(23)(a) of the CPA). The terms do not include (§6-1-1303(23)(b) of the CPA):

• the disclosure of personal data to a processor that processes the personal data on behalf of a controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
• the disclosure of personal data:
  • that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
  • intentionally made available by a consumer to the general public via a channel of mass media.

Regarding de-identified data, the CPA highlights that a controller or processor is not required to comply with an authenticated consumer rights request if they do not sell personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer (§6-1-1307(1)(b)(III) of the CPA).

The CPA states that a controller or processor that discloses personal data to another controller or processor in compliance with the CPA is not in violation if the recipient processes the personal data in violation of the CPA and the disclosing controller or processor did not have actual knowledge of the intent to commit a violation. A controller or processor in receipt of personal data from a disclosing controller or processor is also not in violation of the CPA if the receiving controller or processor fails to comply with the CPA (§6-1-1305(8) of the CPA).

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Requirements to conduct data protection impact assessment

The CPA notes that a controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that presents a heightened risk of harm to a consumer (§6-1-1309(1) of the CPA). For purposes of §6-1-1309 of the CPA, 'processing that presents a heightened risk of harm to a consumer' includes the following (§6-1-1309(2) of the CPA):

• processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial or physical injury to consumers;
  • a physical or another intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers;
• selling personal data; and
• processing sensitive data.

Should a new data processing activity begin that materially changes the level of risk, a data impact assessment must reflect changes to the pre-existing activity and additional considerations and safeguards that are introduced to offset the new risk level (Rule 8.05(D) of the CPA Rules).

In addition, the CPA notes that data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§6-1-1309(3) of the CPA).

Part 8 of the CPA Rules clarifies the requirements associated with conducting data protection assessments (Rule 8.01 of the CPA Rules). In particular, a data protection assessment is required for each personal data processing activity that presents a heightened risk of harm to a consumer. In particular, the data protection assessments should (Rule 8.02 of the CPA Rules):

• identify and describe the risks to the rights of consumers associated with the processing;
• document the measures considered and taken to address and offset those risks;
• contemplate the benefits of the envisaged processing; and
• demonstrate that the benefits of the processing outweigh the risks offset by safeguards in place.

To this end, a data protection assessment must involve all relevant internal stakeholders from across the controller's organization and all relevant external parties, to identify, assess, and address the risks entailed by the processing of data (Rule 8.03 of the CPA Rules). Furthermore, the level of detail and scope of data protection assessments should take into account the scope of risk presented, the size of the controller, the personal data processed, the data processing activities subject to the assessment, and the complexity of safeguards applied (Rule 8.02(D) of the CPA Rules).

Moreover, the CPA outlines that single data protection assessments may address a comparable set of processing operations that include similar activities (§6-1-1309(5) of the CPA).

Please note that data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive (§6-1-1309(6) of the CPA).

Controllers must conduct and document data protection assessments as described in Rule 9.06 of the CPA Rules if profiling presents a reasonably foreseeable risk of:

• unfair or deceptive treatment of, or unlawful disparate impact on consumers;
• financial or physical injury to consumers;
• physical or other intrusion upon the solitude or seclusion, or private affairs or concerns if the intrusion would be offensive to a reasonable person; or
• other substantial injury to consumers.

Requirement to share data protection impact assessments

Controllers are also required to make data protection assessments available to the AG upon request. The AG may evaluate the data protection assessments for compliance with the duties contained in §6-1-3108 of the CPA and other laws regarding compliance with the duties contained in the CPA (§6-1-1309(4) of the CPA).

A controller must make the data protection assessment available to the AG within 30 days of the AG's request (Rule 8.06 of the CPA Rules). Notably, where a data protection assessment conducted for the purpose of complying with another jurisdiction's law or regulation is not similar in scope and effect to a data protection assessment under the CPA Rules, a controller may submit that assessment with a supplement that contains any additional information required by this jurisdiction (Rule 8.02 of the CPA Rules).

Data protection assessments are confidential and exempt from public inspection and copying under the 'Colorado Open Records Act,' under §24-72-201 to 206 of the Colorado Revised Statutes pursuant to a request from the AG under §6-1-1309(4) of the CPA does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the data protection assessment and any information contained in the data protection assessment (§6-1-1309(4) of the CPA).

Content required in a data protection impact assessment

More specifically, the CPA Rules list the minimum content that any data protection assessment must present, which includes (Rule 8.04 of the CPA Rules):

• a short summary of the processing activity;
• the categories of personal data to be processed and whether they include sensitive data, including personal data from a known child;
• the context of the processing activity, including the relationship between the controller and the consumers whose personal data will be processed, and the reasonable expectations of those consumers;
• the nature and operational elements of the processing activity;
• the core purposes of the processing activity, as well as other benefits of the processing that may flow, directly and indirectly, to the controller, consumer, other expected stakeholders, and the public;
• the sources and nature of risks to the rights of consumers associated with the processing activity posed by the processing activity;
• measures and safeguards the controller will employ to reduce the risks identified by the controller;
• a description of how the benefits of the processing outweigh the risks identified, as mitigated by the safeguards identified;
• if a controller is processing sensitive data, the details of the process implemented to ensure that personal data and sensitive data inferences are not transferred and are deleted within 24 hours of the personal data processing activity;
• relevant internal actors and external parties contributing to the data protection assessment; and
• dates the data protection assessment was reviewed and approved, and names, positions, and signatures of the individuals responsible for the review and approval.

Time to conduct data protection impact assessments

With regard to the timing of data protection assessments, controllers should carry them out before initiating a data processing activity that presents a heightened risk of harm to a consumer (Rule 8.05(A) of the CPA Rules). Additionally, the CPA Rules mandate controllers to review and update their data protection assessments as often as appropriate considering the type, amount, and sensitivity of personal data processed, and the level of risk presented by the processing, throughout the processing activity's lifecycle (Rule 8.05(B) of the CPA Rules). There shall be at least an annual review of data protection impact assessments that produce legal or similar effects (Rule 8.05(C) of the CPA Rules).

7.5. Data protection officer appointment

The CPA does not specifically address data protection officer appointments.

7.6. Data breach notification

The CPA does not provide for breach notification requirements.

However, processors must adhere to the instructions of a controller and assist the controller in meeting their duties or requirements under the CPA, including helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system.

Please see our Colorado – Data Breach for further information.

7.7. Data retention

The CPA does not specifically address data retention.

7.8. Children's data

In the case of the processing of personal data concerning a known child, the CPA outlines that such data cannot be processed without first obtaining consent from the child's parent or lawful guardian (§6-1-1308(7) of the CPA). A child refers to an individual under 13 years of age (§6-1-1303(4) of the CPA).

The CPA Rules specify that a controller processing the personal data of a child must make reasonable efforts to obtain verifiable parental consent, considering available technology, and should ensure the person providing consent is the child’s parent or lawful guardian (Rule 7.06(B) of the CPA Rules). Reasonably calculated methods to determine that the person providing consent is the child’s parent or lawful guardian are outlined in Rule 7.06 of the CPA Rules. Any information provided for verification of the child’s parent or lawful guardian may not be used for any reason other than the verification (Rule 7.06 (D) of the CPA Rules).

7.9. Special categories of personal data

The CPA states that a controller shall not process a consumer's sensitive data without first obtaining the consumer's consent (§6-1-1308(7) of the CPA).

The CPA Rules further state that a controller may be exempt from obtaining consent to process sensitive data over 13 years of age only if (Rule 6.10(B) of the CPA Rules):

• processing is obvious to a reasonable consumer based on the context of collection and use of personal data;
• sensitive data inferences are permanently deleted within 24 hours of collection or completion of the processing activity (whichever is first);
• sensitive data inferences are not transferred, sold, or shared with any processors, affiliates, or third parties; and
• the personal data and sensitive data inferences are not processed for any other purpose than the purpose expressed to the consumer.

The CPA Rules also state that if sensitive data is deleted within 24 hours, a description of sensitive data inferences and the deletion timeline are in its privacy notice (Rule 6.10(C) of the CPA Rules).

7.10. Controller and processor contracts

The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures (§6-1-1305(4) of the CPA).

The CPA outlines that processors shall adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by (§6-1-1305(2) of the CPA):

• taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to §6-1-1306 of the CPA;
• helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to §6-1-716 of the CPA; and
• providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by §6-1-1309 of the CPA the controller and processor are each responsible for only the measures allocated to them.

In addition, the CPA states that processing by a processor must be governed by a contract between the controller and processor that is binding on both parties and that sets out, among other things (§6-1-1305(5) of the CPA):

• the processing instruction to which the processor is bound including the nature and purpose of the processing;
• the type of personal data subject to the processing and the duration of the processing;
• implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement measures (§6-1-1305(4) of the CPA); and
• the following requirements:
  • at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • make available to the controller all information necessary to demonstrate compliance with the obligations under Part 13 of the CPA; and
  • allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor.

Moreover, the CPA notes that in no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the CPA (§6-1-1305(6) of the CPA). The determination of if a person acts as a controller or processor regarding the processing of data is a fact-based determination (§6-1-1305(7) of the CPA).

Notwithstanding the instructions of a controller, a processor shall ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data and engage a subcontractor only after providing the controller with an opportunity to object (§6-1-1305(3) of the CPA).

8. Data Subject Rights

Format for consumer requests

According to Rule 4.02 of the CPA Rules, a controller’s privacy notice must include specific methods through which a consumer can submit requests to exercise data subject rights and any method specified by a controller should consider (Rule 4.02(A) and (B) of the CPA Rules):

• the methods a consumer normally interacts with a controller;
• that the consumer must be able to submit the request at any time;
• compliance with the requirements for disclosures under Rule 3.02;
• use of reasonable security measures consistent with Rule 6.09 when exchanging information; and
• be easy for consumers to execute, requiring a minimal number of steps.

Rule 4.02 also provides that the request method does not need to be specific to Colorado, the controller may only collect data to reasonably authenticate the consumer, and a new account may not be required (Rule 4.02(C), (D), and (E) of the CPA Rules). Controllers shall not require a consumer to create a new account to exercise consumer rights pursuant to the CPA but may require a consumer to use an existing account (§6-1-1306(1) and §6-1-1308(1)(c)(I) of the CPA).

A consumer should also specify which of the following rights the consumer wishes to exercise. The method available for consumers to exercise rights must consider (§6-1-1306(1) of the CPA):

• how consumers normally interact with the controller;
• the need for secure and reliable communication relating to the request; and
• the ability of the controller to authenticate the identity of the consumer making the request.

Nothing in the CPA shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no free, if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program (§6-1-1308(1)(d) of the CPA). Additional provisions regarding loyalty programs are outlined within Rule 6.05 of the CPA Rules.

Rule 6.11 of the CPA Rules outlines the requirements for maintaining records of all consumer data rights requests made pursuant to §6-1-1306 of the CPA.

Authentication

A controller is not required to comply with a request to exercise any of the rights under §6-1-1306(1) of the CPA if the controller is unable to authenticate the request using commercially reasonable efforts (§6-1-1306(2)(d) of the CPA).

If a controller cannot authenticate the consumer submitting a data right request using commercially reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

Rule 4.08 of the CPA Rules also highlights additional guidance related to authentication by controllers, including:

• collection of additional personal data to authenticate should be avoided unless the data already possessed cannot be used to authenticate the consumer (Rule 4.08(B) of the CPA Rules);
• data obtained for authentication should not be used for another purpose and must be deleted as soon as practical (Rule 4.08(C) of the CPA Rules);
• implementation of security measures (Rule 4.08(D) of the CPA Rules); and
• the prohibition of a fee for authentication (Rule 4.08(E) of the CPA Rules).

If the controller decides not to act on a consumer's data subject request, it must include the grounds for such denial to the consumer, including, but not limited to (Rule 4.09(C) of the CPA Rules):

• any conflict with federal or state law;
• the relevant exception to the CPA and a description of the exception;
• the controller's inability to verify a consumer's identity, in which case the controller must describe in documentation their reasonable efforts to authenticate the consumer's identity and why it was unable to do so;
• any factual basis for a controller's good-faith claim that compliance is impossible; or
• any basis for a good faith documented belief that the request is fraudulent or abusive.

Furthermore, if a controller denies a consumer data right request based on inability to authenticate, the controller must describe in the documentation required by Rule 6.11 of the CPA Rules their reasonable efforts to authenticate and why they were unable to do so (Rule 4.09(C)(1) of the CPA Rules).

Exemptions

Furthermore, the rights contained in §6-1-1306(1)(b) to (1)(e) of the CPA do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information (§6-1-1307(3) of the CPA).

Time for responding to consumer requests

A controller shall inform a consumer of any action taken on a request under the CPA without undue delay and, in any event, within 45 days after receipt of the request. The controller may extend the 45-day period by an additional 45 days where reasonably necessary, taking into account the complexity and number of requests, and shall inform the consumer of the extension. If a controller does not action a consumer request, the controller shall inform the consumer without undue delay and within 45 days of receiving the request of the reasons for not acting and instructions for how to appeal. A controller is not obligated to comply with a request to exercise any of the rights under the CPA if the controller is not able to authenticate the request (§6-1-1306(2) of the CPA, Rule 4.09 of the CPA Rules).

Fees

A controller shall provide the consumer with the information specified in the CPA free of charge unless there is a second subsequent request within a twelve-month period. In this case, the consumer may charge an amount as described in C.R.S. §24-72-205(5)(a) (§6-1-1306(2)(c) of the CPA):

• Cost per page: A custodian can charge up to 25 cents per standard page for a copy;
• Cost for other formats: A custodian can charge up to the actual cost of providing a copy in a format other than a standard page; and
• No per-page fee for digital formats: A custodian cannot charge a per-page fee for digital or electronic formats, such as PDFs.

Appeals

A controller shall establish an internal process for consumers to appeal a refusal to take action on a request, and the appeal process must be conspicuously available and as easy to use as the process for submitting a request under the CPA (§6-1-1306(3)(a) of the CPA). Within 45 days after receipt of an appeal, a controller shall inform the consumer of any action taken or not in response to the appeal, along with a written explanation to support the response (§6-1-1306(3)(b) of the CPA). The controller may extend the 45-day period by 60 additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for appeal. The consumer shall be informed within 45 days of receipt of the appeal if an extension is necessary in addition to the reasons for the delay (§6-1-1306(3)(b) of the CPA). The consumer should also be informed of their ability to contact the AG if there are questions about the appeal (§6-1-1306(3)(c)(f) of the CPA).

8.1. Right to be informed

In accordance with §6-1-1308(1)(a) to (b) of the CPA, controllers must provide consumers with a privacy notice that includes:

• the categories of personal data collected or processed by the controller or a processor;
• the purposes for which the categories of personal data are processed;
• how and where consumers may exercise the rights pursuant to §6-1-1306 of CPA, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties, if any;
• the categories of third parties, if any, with whom the controller shares personal data; and
• if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

Rule 6.02 of the CPA Rules states that privacy notices must provide consumers with a meaningful understanding and accurate expectations of how their personal data will be processed, inform them about their rights under the CPA, and provide any information necessary for them to exercise those rights (Rule 6.02(A), (B) of the CPA Rules)Additionally, privacy notices must be clear, specific, and easily accessible (Rule 6.02(D), (E), (F) of the CPA Rules)  Importantly, where the controller's privacy notice includes all of the required information and make it clear that Colorado consumers are entitled to the rights outlined in §6-1-1306 of the CPA, the controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice (Rule 6.2(b) of the CPA Rules).

In relation to the specific information that must be provided, the CPA Rules detail that the privacy notices must comprise the following (Rule 6.03(a) of the CPA Rules):

• a list of the data rights available;
• a comprehensive description of the controller's data processing practices, linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that personal data to the controller for a specified purpose;
• whether the controller processing activities involve the processing of personal data for profiling purposes and the decision produces legal or similarly significant effects concerning a consumer;
• a description of the methods through which a consumer may submit requests to exercise data rights;
• a controller's contact information;
• if the controller will delete the personal data within 24 hours and a description of the sensitive data inferences subject to the provision, and the retention and deletion timeline for such sensitive data inferences;
• instructions on how a consumer may appeal a controller's action in response to the consumer's request; and
• the date that the privacy notice was last updated.

Pursuant to Rule 6.04 of the CPA Rules, controllers must notify consumers of material changes to a privacy notice in a manner by which the controller regularly interacts with the consumers. Material changes may include, but are not limited to, changes to:

• categories of personal data processed;
• processing purposes;
• controller's identity;
• the act of sharing personal data with third parties;
• categories of third-parties personal data is shared with; or
• methods by which consumers can exercise their data rights requests.

The CPA Rules provide that privacy notices must comprise the following information (Rule 6.03 of the CPA Rules):

• a comprehensive description of the controller's online and offline personal data processing practices, including the following, linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that personal data to the controller for a specified purpose (Rule 6.03(A)(1) of the CPA Rules):
  • an explanation of the processing purpose, which should cover how personal data is used for the purpose in question;
  • whether the processing purpose encompasses targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;
  • the categories of personal data that the controller sells to, or shares with, third parties, if any;
  • the categories of third parties with whom the controller shares, or to whom the controller sells, personal data, described in a sufficiently granular level of detail; and
  • the categories of personal data processed, including, but not limited to, whether personal data of a child or other sensitive data is processed: categories shall be described in a level of detail that provides consumers a meaningful understanding of the type of personal data processed;
• if applicable, the disclosures required under Rule 9.03 of the CPA Rules concerning profiling (Rule 6.03(A)(2) of the CPA Rules);
• a list of the data rights available and a description of the means through which a consumer may exercise the same, including, effective July 1, 2024, an explanation of how requests to opt out using Universal Opt-Out Mechanisms will be processed (Rules 6.03(A)(3) and 6.03(A)(4) of the CPA Rules);
• in case of deletion of sensitive data inferences, a description of the sensitive data inferences involved, the retention and deletion timelines (Rules 6.03(A)(5) of the CPA Rules);
• the contact information of the controller (Rules 6.03(A)(6) of the CPA Rules);
• instructions on how to appeal a controller's response to a request submitted by a consumer (Rules 6.03(A)(7) of the CPA Rules); and
• the date of the privacy policy's latest update (Rules 6.03(A) and (B) of the CPA Rules).

The express purposes for which each category of personal data is collected shall also be specified (Rule 6.06 of the CPA Rules).

8.2. Right to access

A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data (§6-1-1306(1)(b) of the CPA).

When responding to an access request, a controller must provide the consumer with all the specific pieces of personal data it has collected and maintains about the consumer and that are the subject of the request, which includes the personal data that the controller's processors obtained from the controller in providing services to the controller (Rule 4.04(A) of the CPA Rules). Personal data provided in response to an access request must be concise, in plain language, allow an average consumer to make an informed decision, and be provided in line with Rule 3.02 (as applicable) (Rule 4.04(B) of the CPA Rules).

A controller is not required to disclose certain categories of personal data when responding to an access request, including (Rule 4.04(D) of the CPA Rules):

• a consumer's government-issued identification number;
• a financial account number;
• a health insurance or medical identification number;
• an account password;
• security questions and answers;
• biometric identifiers; or
• biometric data.

However, in such instances, a controller shall nonetheless inform the consumer that it has collected said type of information, i.e., a controller shall respond that it collects 'unique biometric data including a fingerprint scan' without disclosing the actual fingerprint scan data (Rule 4.04(D) of the CPA Rules).

Rule 4.04(E) of the CPA Rules also outlines that a controller may respond to a consumer’s right to access personal data in a portable format in a manner that does not reveal a trade secret, such as in a nonportable format.

8.3. Right to rectification

A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data (§6-1-1306(1)(c) of the CPA).

Rule 4.05(A) of the CPA Rules provides that consumers have the right to correct inaccuracies in their personal data subject to C.R.S. §6-1- 1306(c).

Additionally, Rule 4.05(B) of the CPA Rules establishes that if a consumer submits a correction request, controllers must amend the personal data in its existing systems. If personal data is stored on archive or backup systems, compliance with the request may be delayed until that system is restored to an active system or is next accessed or used (Rule 4.05(C) of the CPA Rules). Thereby, the controller must also use agreed-upon technical, organizational, or other measures or processes to instruct its processors to make the necessary corrections in their respective systems processors involved to make the necessary corrections in their respective systems.

A controller may require the consumer to provide documentation, if necessary, to determine whether the personal data or the consumer’s requested correction, is accurate Rules 4.05(E)(1) to 4.05(E)(4) of the CPA Rules. Once these steps are exhausted, the controller may decide not to act upon a consumer's correction request if the controller determines that the contested personal data is more likely than not accurate (Rule 4.05(E)(5) of the CPA Rules). A controller may respond to a consumer’s request with instructions to complete the correction through the consumer’s account settings in line with Rule 4.05(D) of the CPA Rules.

8.4. Right to erasure

A consumer has the right to delete personal data concerning the consumer (§6-1-1306(1)(d) of the CPA).

Pursuant to the CPA Rules, a controller may maintain records of a consumer's deletion request consistent with Rule 6.11 of the CPA Rules and as needed to effectuate the deletion request (Rule 4.06(B) of the CPA Rules). The CPA provides further insight as it relates to the right to delete personal data, including:

• a controller may comply with a consumer’s deletion request by (Rule 4.06(A) of the CPA Rules):
  • permanently deleting the personal data or de-identifying in a way that cannot be used or used to identify or infer the individual; and
  • using agreed technical and organizational measures to delete personal data.
• if a controller stores personal data on archived or backup systems, the request may be delayed until those systems are again accessed or used (Rule 4.06(C) of the CPA Rules); and
• for personal data received from a source other than the consumer, the controller shall comply with a deletion request by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s data remains deleted (Rule 4.06 (D) of the CPA Rules).

8.5. Right to object/opt-out

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of (§6-1-1306(1)(a) of the CPA):

• targeted advertising;
• the sale of personal data; or
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Moreover, a consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in §6-1-1306(1)(a)(i) of the CPA, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. a controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf (§6-1-1306(1)(a)(II) of the CPA).

A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to §6-1-1306(1)(a)(I) of the CPA. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under the CPA, and in a clear, conspicuous, and readily accessible location outside the privacy notice (§6-1-1306(1)(a)(III) of the CPA). The controller may allow consumers to exercise the right to opt out of the processing through a user-selected universal opt-out mechanism that meets the technical specifications established by the AG pursuant to §6-1-1313 (§6-1-1306(1)(a)(IV)(B) of the CPA).

Pursuant to Rule 5.02(A) of the CPA Rules, consumers may exercise their right to opt out of the processing of their personal data for purposes of targeted advertising or for the sale of personal data through a user-selected universal opt-out mechanism that meets the technical and other specifications provided in the CPA Rules.

According to the CPA Rules, a controller must comply with an opt-out request by (Rule 4.03(A) of the CPA Rules):

• ceasing to process the consumer's personal data for the opt-out purpose(s) as soon as feasibly possible and without undue delay from the date the controller receives the request, considering the size and complexity of the controller's businesses and the burden of operationalizing the opt-out. Additionally (Rule 4.03(A)(1) of the CPA Rules):
  • if a controller does not know the identity of a consumer submitting an online opt-out request, such that the controller is unable to opt the consumer out of the processing of offline or other connected personal data, the controller may request the additional information necessary to do so subject to Rules 4.08 and 5.05 of the CPA Rules; and
  • if a consumer submits a request to exercise more than one data right and a controller can complete the opt-out request in a timelier manner than other data rights requests, the controller should complete the opt-out request prior to any other data rights request; and
• maintaining a record of the opt-out request and response in compliance with 4 CCR 904-3, Rule 6.11 (Rule 4.03(A)(2) of the CPA Rules);
• using agreed-upon technical, organizational, or other measures or processes to instruct its processors, pursuant to C.R.S. §6-1-1305(2)(a), to stop processing the personal data as needed to effectuate the consumer's opt-out request (Rule 4.03(A)(3) of the CPA Rules).

Rule 4.02(B) of the CPA Rules provides further detail regarding required disclosures and methods for a consumer to exercise the right to opt if the controller sells or processes personal data for targeted advertising or processes data in furtherance of a decision that results in the provision or denial of access to essential services. Also, an authorized agent may exercise a consumer's opt-out on their behalf so long as the controller can authenticate the authorized agent as outlined in Rule 4.03(C) of the CPA Rules.

Pursuant to Rule 5.02(B) of the CPA Rules, the purpose of a Universal Opt-Out Mechanism is to provide consumers with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with without having to make individualized requests with each controller.

Specifically, a Universal Opt-Out Mechanism may (Rule 5.02(C) of the CPA Rules):

• express a consumer's choice to opt out of the processing of personal data for both the processing of personal data for purposes of targeted advertising and the sale of personal data; or
• express a consumer's choice to opt out of the processing of personal data for only one of these two purposes.

In this regard, if a platform, developer, or provider provides a Universal Opt-Out Mechanism, it must make clear to the consumer, whether in its configuration or disclosures to the public, that the mechanism is meant to allow them to exercise the right to opt out of the processing of personal data. Additionally, the CPA Rules indicate specific contents that such notices to the consumer must have (Rule 5.03(A) of the CPA Rules).

In any event, a valid Universal Opt-Out Mechanism must represent the consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of their personal data. Furthermore, controllers are not obligated to honor consumer rights requests for purposes other than those listed above, when transmitted through a Universal Opt-Out Mechanism (Rule 5.03(B) of the CPA Rules).

The platform, developer, or provider of the Universal Opt-Out Mechanism is not required to confirm the user is a Colorado resident (Rule 5.03(C) of the CPA Rules).

Issues related to UOOM

In addition, the CPA Rules address the issues that might arise in relation to Universal Opt-Out Mechanisms and default settings, providing some examples (Rule 5.04(A) of the CPA Rules). For instance, the CPA Rules illustrate that if a browser is pre-installed on every device provided with an operating system by the vendor, and by default, the browser delivers a Universal Opt-Out mechanism signal without prompting the consumer to enable this setting, such mechanism would not meet the requirements set out in the CPA Rules, as the consumer's decision to use the browser does not constitute an affirmative, freely offered, and unambiguous choice to use the Universal Opt-Out Mechanism (Rule 5.04(A)(1) of the CPA Rules). Conversely, the CPA Rules consider it an acceptable option if a tool that does not come pre-installed with a device, such as a browser or operating system, is nonetheless marketed as a tool designed to exercise a user's rights to opt out of the processing of personal data (Rule 5.04(B)(1) of the CPA Rules). Limitations on the personal data use for UOOM are outlined in Rule 5.05 of the CPA Rules, and technical specifications are outlined in Rule 5.06 of the CPA Rules.

Once the right to opt-out has been exercised by the consumer through a Universal Opt-Out Mechanism, a controller may enable a consumer to provide a new declaration of consent to opt in (Rule 5.09(A) of the CPA Rules). However, controllers shall not interpret the absence of a Universal Opt-Out Mechanism signal as consent to opt back in (Rule 5.09(B) of the CPA Rules).

Separately, the Colorado Department of Law was tasked with the responsibility of recognizing Universal Opt-Out Mechanisms and maintaining a public list of the same. To be recognized by the Colorado Department of Law, a Universal Opt-Out Mechanism must meet at least the following standards (Rule 5.07(C) of the CPA Rules):

• comply with all the relevant technical and other specifications laid down in the CPA Rules; and
• not confuse consumers or controllers about the features of the various Universal Opt-Out Mechanisms included in the public list.

Controllers had until June 30, 2024, to prepare for Universal Opt-Out Mechanisms. In fact, effective July 1, 2024, controllers will be obliged to abide by the requirements set out for Universal Opt-Out mechanisms and to honor any opt-out request received through the same (Rules 5.08 of the CPA Rules).

8.6. Right to data portability

When exercising the right to access personal data pursuant to §6-1-1306(1)(b) of the CPA, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in §6-1-1306(1)(e) of the CPA requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets (§6-1-1306(1)(e) of the CPA).

Pursuant to Rule 4.07 of the CPA Rules, in order to comply with a data portability request, a controller must transfer to a consumer the personal data it has collected and maintains about them through a secure method in a commonly used electronic format that, to the extent technically feasible, is readily usable and allows the consumer to transmit the personal data to another entity without hindrance. Additionally, a controller is not required to provide personal data to a consumer in a manner that would disclose the controller's trade secrets. In particular, controllers must provide as much data as possible in a portable format without disclosing such trade secrets.

8.7. Right not to be subject to automated decision-making

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer (§6-1-1306(1)(a)(I)(C) of the CPA). According to Rule 9.02 of the CPA Rules, controllers have an affirmative obligation to provide information to consumers about how personal data is used, the consumers right to opt out, and the requirements for a data protection impact assessment to be conducted by the controller (Please see section above for more information on data protection impact assessment requirements in addition to Rule 9.06 of the CPA Rules).

The CPA defines 'profiling' as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (§6-1-1303(20) of the CPA).

Controllers are required to provide specific information to consumers in the required privacy notice if personal data is used for profiling in furtherance of decisions that produce legal or other significant effects or affect the consumer's access to essential goods or services (Rule 9.03 of the CPA Rules). Consent requirements are outlined in Rule 9.05 of the CPA Rules.

Notably, the CPA Rules also provide for the consumers' right to opt out of profiling in furtherance of decisions that produce legal or other similarly significant effects concerning a consumer. The controller may not fulfill such a request when the profiling is based on human-involved automated processing. In this case, the controller must provide the consumer with information, if not included in the privacy notice, on the decision subject to the profiling, the specific personal data that is to be processed, the logic used, the role of human involvement in the profiling, the decision-making process, and how the consumer can rectify or delete the personal data processed as part of the decision-making process (Rule 9.04(A), (B), and (C) of the CPA Rules).

Controllers are mandated to provide a method to exercise the right to opt out of profiling in furtherance of decisions that produce legal or other similarly significant effects concerning a consumer clearly and conspicuously at or before the time such processing occurs (Rule 9.04(D) of the CPA Rules).

8.8. Other rights

Rule 6.05 of the CPA Rules outlines that a controller is not prohibited from offering bona fide loyalty program benefits to a consumer based on their voluntary participation in addition to other provisions related to bona fide loyalty programs.

9. Penalties

The CPA does not authorize a private right of action for a violation of its provisions of law. §6-1-310(1) of the CPA neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including the CPA, the Constitution of the State of Colorado, or the United States Constitution (§6-1-1310(1) of the CPA).

The CPA outlines that where more than one controller or processor, or both a controller and a processor, involved in the same processing violates the CPA, the liability shall be allocated among the parties according to principles of comparative fault (§6-1-1310 of the CPA).

The AG and DA have exclusive authority to enforce the CPA by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this CPA, including seeking an injunction to enjoin a violation of the CPA (§6-1-1311 of the CPA).

Prior to any enforcement action pursuant to (§6-1-1311(1)(a) of the CPA, the AG or DA must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within 60 days after receipt of the notice of violation, an action may be brought pursuant to this section. Please note that §6-1-1311(1)(d) of the CPA is repealed, effective January 1, 2025 (§6-1-1311(1)(d) of the CPA).

9.1 Enforcement decisions

On July 12, 2023, the AG announced the launch of enforcement of the CPA. As such, the Department of Justice began mailing letters to businesses focused on educating them about the law and their new legal obligations under the CPA and CPA Rules; examples of these letters are available on the CPA Portal of the AG's website.