Colorado passes Privacy Act: what does the CPA mean for financial services?

The US state of Colorado has signed the Colorado Privacy Act (CPA) into law, making it the third US state to take decisive action to protect the data rights of consumers.  

Following in the footsteps of California (the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)) and Virginia (the Virginia Consumer Data Protection Act) Colorado’s law will grant almost identical rights to consumers, giving them greater controls and consent about the data that is collected, stored, and used by certain companies. The move signifies the US’ growing ambition to implement data privacy controls that will eventually match the European standard General Data Protection Regulation (GDPR).

Who will it apply to?

Much like the GDPR, the CPA has broad yet specific applicability. The new law will apply to all entities that conduct business in Colorado, or those that produce or deliver commercial services or products that target the residents of Colorado. They must also either control or process personal data of more than 100,000 consumers a year or, receive a source of revenue from the sale of personal data and control or process the data of at least 25,000 consumers. 

For the purpose of the Act, a consumer is “a Colorado resident acting only in an individual or household context.” 

The specificity of the CPA’s threshold should mean that the law will not affect small businesses or those who operate solely in the B2B arena. There are also further limitations surrounding employees, job applicants, and certain types of entities and data. Interestingly, there is not a direct exemption for non-profit organisations, meaning that the CPA will apply to them if they meet certain criteria.  

What are the key provisions within the CPA?

Broadly speaking, the CPA offers near-identical protections to its counterparts, including GDPR. This means it will give consumers the right to access, correct, delete, move, and opt-out of personal data and its processing. It does, however, offer a number of more interesting distinctions: 

• Right to appeal. The CPA is one of a handful of data privacy laws that gives individuals the chance to appeal in the event that a company has refuses their request for their data to be deleted.  
    
• Privacy impact assessment requirements. The CPA contains a provision that obliges companies to assess the type of data they have collected from a consumer, as well as how they are using it, securing it, how long they plan to retain it and any associated risks. This requirement does exist within other existing privacy laws but, because of myriad exemptions, is seldom used. The Colorado Privacy Act has very few exemptions, meaning that companies will have to run impact assessments for any project collection personal data, as well as in the event that there are changes to policies or staff, for example. Unlike other privacy laws, this impact assessment will be difficult to get out of.  
  
  
• Universal opt-out. The CPA, as in other privacy laws, gives consumers the right to opt-out of the processing of their personal data for a number of specified reasons – from advertising to the sale of their data. Interestingly, it also introduces a comparatively broad opt-out requirement that says the Colorado Attorney General will establish technical requirements for a universal “opt-out”, which would mean that all consumers could exercise all of their opt-out rights, universally, at the touch of a button. 

What happens if a company fails to comply?

GDPR has become renowned for the large and potentially ruinous fines that can be issued in the event of non-compliance – take Marriott or British Airways, for example. Needless to say, the CPA does not carry the same remedial weight – though fines for non-enforcement are not to be sniffed at, at around $20,000. While this may seem like small fry for large financial institutions, it will serve as a significant deterrent for many businesses.  

Under the CPA, in the event of non-compliance, firms will be given a 60-day period in which they can remedy their non-compliant activity. No enforcement action can be taken against them within this 60-day window. This grace period will only be in force, however, for the first two years of the CPA becoming law and will end on 1 January 2025.

Failure to comply with the CPA could see penalties of up to $20,000 issued for each violation. Under the CPA, there is no private right of action and, enforcement power instead lies with the Attorney General and the Colorado District Attorneys.   

When will the CPA come into effect? 

If everything goes to plan the CPA will come into effect on 1 July 2023 – six months after the CPRA and the VCDPA. 

There is, however, a clause that will allow for either voters within Colorado or its General Assembly to call a referendum on the proposals before 6 September 2021. If this were to happen, the CPA would then require a further vote in November 2022. There is also a chance that supporting or supplemental regulations could slow down the legislative process and delay the date that the law comes into force.

What do firms need to do to comply with the Colorado Privacy Act?

Delay or not, the CPA signifies Colorado’s intent to establish a clear regulatory regime for data privacy and protection. While firms will not yet need to act, they will need to start considering the provisions under the CPA and understand what they must do to comply on the date it comes into force. As well as this, the CPA’s opt-out rights and obligations will require applicable companies to assess their existing programs and amend their practices and policies well in advance of the law coming into effect. Businesses should prepare now to avoid penalties further down the line. 

CUBE comment 

It is reassuring to see that US states are taking data privacy into their own hands. The EU has long since held the crown for data privacy regulations, with the introduction of GDPR in May 2018. One cannot judge the US too harshly on their data record (pardon the pun), however. Unlike the EU, with one unified body for GDPR, the US has a plethora of regulators, legislators, and enforcement bodies as well as different states, different views, and different processes. It is no wonder, then, that the US’ approach to data privacy has been piecemeal.  

While many will welcome the latest addition to the US’s suite of data protection laws, there are others that will be less welcoming, or indeed more scrutinizing. Parts of the industry have raised concerns that the CPA has a number of loopholes that will swiftly be taken advantage of by businesses, rending the Act redundant for many. These concerns might well be warranted if the CCPA is anything to go by. 

However, loopholes or not, the CPA is a step in the right direction for protecting consumer data within Colorado. I would be hard pushed to find any law that has not evolved and been amended to close loopholes or adjust with evolving technological or social change. The CPA is a good start and will hopefully lay further foundations for other states to follow suit – New York, Texas and Florida are all tipped to be next in line.  

The future of data privacy regulation in the US is promising, there is little doubt that more states will move to legislate as the year rolls on. Of course, while this is a good thing for the consumer it will undoubtedly pose challenges for financial institutions who will have to predict, implement, and manage new regulations and the overlaps they present. It is no secret that GDPR presented a wave of challenge across all industries. State-by-state data privacy laws in the US could prove even more difficult to navigate.  

CUBE takes the complexity out of data privacy compliance.