On July 12, 2023, Colorado Attorney General Phil Weiser announced, through letters sent to Colorado businesses, that his office would begin enforcing the Colorado Privacy Act (“CPA”). Enacted in 2021, the CPA became enforceable on July 1, 2023, signaling that Colorado regulators are wasting no time commencing enforcement efforts.
The AG’s letters highlight regulators’ focus on two key areas: (1) the collection of sensitive data and (2) ensuring that companies comply with their obligation to allow consumers to opt-out of targeted ads.
As a reminder, the CPA applies to businesses that operate in Colorado or target Colorado citizens and collect data from over 100,000 Coloradans or that receive revenue from the sale of personal data for over 25,000 Coloradans. Following the news from the AG, businesses that meet this criteria should keep the following in mind:
Sensitive Data Requires Consent and Data Protection Assessments
The CPA’s definition of sensitive data is typical of a state privacy law and includes:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status
- Genetic or biometric data that may be processed to uniquely identify an individual; or
- Personal data from a known child (under the age of 13)
Importantly, the CPA requires a controller to obtain consent (or, if a minor, a parent’s consent) to process sensitive data. Additionally, a controller processing sensitive data is required to conduct and document data protection assessments of each of its processing activities that involve sensitive data acquired on or after July 1, 2023. Colorado businesses processing such data should confirm that appropriate consent has been obtained and data protection assessments have been conducted.
Ensure Users Can Opt-Out of Targeted Advertising
The CPA defines targeted advertising as “displaying to a consumer an ad that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.” For example, say someone visits a clothing company’s website, which uses advertising tracking technologies like cookies and pixels from companies like Meta and Google. Later, that same user visits an online newspaper and sees banner ads for the clothing company’s products (or a similar brands’ products). Under the CPA’s requirements, the clothing company must ensure that site visitors have the option of turning off its site’s tracking technologies so that their information is not sold to companies like Meta and Google.
As part of their compliance, companies that use personal information for targeted advertising must do two things:
- Provide a clear and conspicuous method for consumers to exercise their right to opt-out, such as a link in the website’s footer that reads “Your Privacy Choices” (this is becoming common, as it also satisfies California’s opt-out requirements).
- Ensure their websites listen for and process browser preference signals such as the Global Privacy Control, or “GPC.” GPC is an emerging technology available in some web browsers that makes it easy for consumers to turn on a single setting that automatically tells all the websites they visit that they do not want their personal information sold for targeted advertising.
Review and Update Privacy Policies
In addition to the AG’s focus on sensitive data and opt-outs for targeted ads, companies should attend to the CPA’s other basic requirements. This includes updating privacy policies with accurate and comprehensive information on what personal information is collected and how it’s handled, and the company's processes for honoring consumers’ other rights regarding personal information, such as the rights to delete, correct, and access.
Companies can probably expect a regulatory posture that is firm but also reasonable and collaborative. In a statement, Weiser stressed, “Our enforcement of this important law will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts . . . these letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
Despite the AG’s measured tone, companies should beware that the CPA has some of the most significant financial penalties of any state privacy law. Businesses that do not comply can face penalties of up to $20,000 per violation and up to $500,000 for a series of violations.