Expert Commentary

Colorado Privacy Act: Controllers, Assessments, Data, and Enforcement

The Colorado Privacy Act (CPA) will take effect July 1, 2023. This article discusses CPA controller and processor responsibilities, controller-processor contracts, data protection assessments, de-identified data, and Colorado attorney general and district attorney enforcement.


Cyber and Privacy Risk and Insurance
July 2021

The CPA application and definitions, consumer rights, and privacy notice requirements were discussed in an earlier article. See "Colorado Privacy Act: Application, Definitions, Rights, and Notices."

Controller Responsibilities

The controller and processor are each responsible for only the measures allocated to them. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.

A controller must not process personal data for purposes that are neither reasonably necessary to nor compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.

A controller must take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

Taking into account the context of processing, the controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

A controller must not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

A controller must not process a consumer's sensitive data without first obtaining the consumer's consent, and in the case of the processing of personal data concerning a known child, not without first obtaining consent from the child's parent or lawful guardian.

A controller must not require a consumer to create a new account to exercise a right or based solely on the exercise of a right and unrelated to the feasibility or the value of a service, increase the cost of, or decrease the availability of the product or service.

Nothing in the CPA shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

Processor Responsibilities

The controller and processor are each responsible for only the measures allocated to them. Processors must adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA. Taking into account the nature of processing and the information available to the processor, the processor must assist the controller by doing the following.

  • Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to Col. Rev. Stat. § 6-1-1306;
  • Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to Col. Rev. Stat. § 6-1-716; and
  • Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by Col. Rev. Stat. § 6-1-1309.

Taking into account the context of processing, the controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

Notwithstanding the instructions of the controller, a processor must do all of the following.

  • Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data.
  • Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with Col. Rev. Stat. § 6-1-1305(5) that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Controller-Processor Contracts

Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out the following.

  • Processing instructions to which the processor is bound, including the nature and purpose of the processing;
  • Type of personal data subject to the processing and the duration of the processing;
  • Requirements imposed by Col. Rev. Stat. § 6-1-1305(3), (4) and (5); and
  • The following are requirements.
    • At the choice of the controller, the processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
    • The processor must make available to the controller all information necessary to demonstrate compliance with the obligations in the CPA; and
    • The processor must allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor; alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures in support of the obligations under the CPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable.

Finally, the processor must provide a report of the audit to the controller upon request. In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the CPA. Notwithstanding the instructions of the controller, a processor must do all of the following.

  • Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data.
  • Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with Col. Rev. Stat. § 6-1-1305(5) that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Data Protection Assessments

Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.

A controller must not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of Col. Rev. Stat. § 6-1-1309 that present a heightened risk of harm to a consumer.

For purposes of Col. Rev. Stat. § 6-1-1309, "processing that presents a heightened risk of harm to a consumer" includes the following.

  • Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of the following.
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • Financial or physical injury to consumers;
    • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
    • Other substantial injury to consumers.
  • Selling personal data.
  • Processing sensitive data.

Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

The controller must factor into this assessment the use of de-identified data and the reasonable expectations of consumers and the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

De-identified Data

The CPA does not require a controller or processor to do any of the following solely for purposes of complying with the CPA.

  • Reidentify de-identified data.
  • Comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to Col. Rev. Stat. § 6-1-1306(1), if all of the following are true.
    • The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
    • The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate personal data with other personal data about the same specific consumer; and
    • The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer.
  • Maintain data in an identifiable form or collect, obtain, retain, or access any data or technology to enable the controller to associate an authenticated consumer request with personal data.

A controller that uses de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and must take appropriate steps to address any breaches of contractual commitments.

The rights in Col. Rev. Stat. § 6-1-1306(1)(b) to (1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

Enforcement

Notwithstanding any other provision of Article 1, the Colorado attorney general and district attorneys have exclusive authority to enforce the CPA, including seeking an injunction to enjoin a violation of the CPA. For purposes only of enforcement of the CPA by the Colorado attorney general or a district attorney, a violation of the CPA is a deceptive trade practice.

Whenever the Colorado attorney general or a district attorney has cause to believe that a person has engaged in or is engaging in any deceptive trade practice listed in section Col. Rev. Stat. § 6-1-105 or the CPA, the Colorado attorney general or district attorney may apply for and obtain, in an action in the appropriate Colorado district court, a temporary restraining order or injunction, or both, pursuant to the Colorado rules of civil procedure, prohibiting the person from continuing the practices, or engaging therein, or doing any act in furtherance thereof.

The court may make such orders or judgments as may be necessary to prevent the use or employment by the person of any such deceptive trade practice or that may be necessary to completely compensate or restore to the original position of any person injured by means of any such practice or to prevent any unjust enrichment by any person through the use or employment of any deceptive trade practice.

Where the Colorado attorney general or a district attorney has authority to institute a civil action or other proceeding pursuant to the provisions of Article 1, the Colorado attorney general or district attorney may accept, in lieu thereof or as a part thereof, an assurance of discontinuance of any deceptive trade practice listed in Col. Rev. Stat. § 6-1-105 or the CPA. The assurance may include a stipulation for the voluntary payment by the alleged violator of the costs of investigation and any action or proceeding by the Colorado attorney general or a district attorney and any amount necessary to restore to any person any money or property that may have been acquired by the alleged violator by means of any such deceptive trade practice.

Prior to any enforcement action under Col. Rev. Stat. § 6-1-1311(1)(a), the Colorado attorney general or a district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within 60 days after receipt of the notice of violation, an action may be brought pursuant to Col. Rev. Stat. § 6-1-1311. Col. Rev. Stat. § 6-1-1311(1)(d) is repealed, effective January 1, 2025.

Notwithstanding any other provision of Article 1, nothing in the CPA shall be construed as providing the basis for, or being subject to, a private right of action for violations of the CPA or any other law. Notwithstanding any other provision in Part 1 of Article 1, the CPA does not authorize a private right of action for a violation of the CPA or any other provision of law. Col. Rev. Stat. § 6-1-1310(1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including Article 1, the Colorado Constitution or the US Constitution.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More