This blog post written by guest blogger Lydia F. de la Torre, Founder of Golden Data Law.
This year, Colorado became the third state to enact a comprehensive privacy law (the Colorado Data Privacy Act or “DPA.”). The law will go into effect on July 1, 2023 and is set to impose obligations on nonprofit and not-for-profit organizations that maintain personal data on Colorado residents, even if they do not operate in Colorado.
If your organization has already worked towards compliance with the European Union (EU) General Data Protection Regulation (GDPR), it will be ahead of the curve as there are significant similarities between the Colorado DPA and the EU GDPR.
In any event, here are five things your organization should know about the new law:
1- The Colorado DPA is set to apply to nonprofits/not-for-profits (but may not apply to your individual organization if you do not meet the thresholds)
In principle the DPA does apply to nonprofits and not-for-profits. In practice, whether the DPA will apply to your particular organization will depend on the volume of records of Colorado residents that your organization handles, and what your organization does with them.
As currently drafted, the law applies to “controllers” that conduct business or produce commercial products or services that are intentionally targeted to “consumers” and that meet one of two thresholds:
- Control or process “personal data” of at least 100,000 Colorado residents per calendar year; or
- Derive revenue from the “sale” of personal data of Colorado residents and control or process the personal data of at least 25,000 residents.
One important thing to bear in mind is that you will need a somewhat granular and sophisticated understanding of what your organization does with data in order to assess the applicability of the DPA.
2- The Colorado DPA regulates everything you do with data but broadly exempts the healthcare sector.
Any activity involving data that can be connected to an individual human being is potentially regulated by the DPA.
However, as opposed to the GDPR, Colorado law includes a large number of exclusions that will be particularly relevant for nonprofits/non-for-profits operating in the healthcare sector. Even for organizations in the healthcare sector, though, it is important to conduct an assessment of applicability to make sure all of your activities fit within one of the various exemptions that apply to your sector.
3- As of July 1, 2021, Colorado residents will have a number of rights that you will have to honor.
The Colorado DPA provides for a number of new rights. We list them below with an indication of how they align with the GDPR rights:
- Rights that align to GDPR: Access, correction, deletion, and data portability rights
- Rights that do not cleanly align to GDPR: Right to opt-out of sale of personal data, targeted advertising, and profiling. The law also establishes that opt-in is required before processing sensitive data, but there are several exclusions that limit the scope of this requirement.
The National Law Review has published a great article comparing Colorado DPA with other laws here. Note that most of the laws listed do not apply to NP/NFP orgs (so no need to get overwhelmed, OK?).
If you are required to comply with the Colorado DPA—and quite frankly even if you are not—your organization’s leadership should carefully consider whether it makes sense to extend Colorado grade rights to all your donors/supporters, as including some and excluding others will likely have an impact on how you are perceived by your community.
4- As of July 1, 2021, your organization will have a number of new obligations to consider.
The Colorado DPA imposes different obligations on controllers and processors.
Controllers are required to:
- Provide notice: Provide “a reasonably accessible, clear, and meaningful privacy notice” that tells Colorado residents what types of data are collected, how the data is used and shared. In addition residents must be informed of the process to follow in order to exercise their rights.
- Respond to requests: Controllers must respond to requests from Colorado residents to exercise the rights listed above.
- Conduct data protection impact assessments: The CPA requires controllers to conduct DPAs for each processing activity that “presents a heightened risk of harm to a consumer.” This only applies to activities related to data acquired on or after July 1, 2023.
- Duty of purpose specification, data minimization, and avoiding secondary uses: The CPA requires that the express purposes for processing be specified, that collection be “adequate, relevant, and limited to what is reasonably necessary,” and that secondary uses be avoided.
- Duty of care (a.k.a. security): Under the CPA a controller shall take reasonable measures to secure personal data. There is a different Colorado law (see here) already in effect that requires notification in case of data breaches that applies to the nonprofit/not-for-profit sector as well.
- Duty to avoid unlawful discrimination: Under CPA a controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
- Duties related to sensitive data: A controller shall not process the consumer’s personal sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian. Under the CPA “sensitive data” means (i) personal data “revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status”; (ii) genetic or biometric data that may be “processed for the purpose of uniquely identifying an individual,” OR (iii) personal data from a known child.
Processors are required to:
- Assist the controller: Taking into consideration “the nature of processing and the information available to the processor”, processors shall assist by (i) taking appropriate technical and organizational measures to enable the controller to respond to consumers request to exercise CPA rights; (ii) help controller meet its obligation to ensure the security of the processing and to notify of breaches as required; and (iii) provide enough information to the controller to conduct and document data protection assessments as required by CPA (however, the controller and processor “are only responsible for the measures allocated to them.”
- Adhere to instructions: Notwithstanding the obligation to adhere to the controller’s instructions, processors shall (i) ensure each person processing personal data is subject to a duty of confidentiality with respect to the data; and (ii) engage subcontractors only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with CPA that requires the subcontractor to meet the same obligations that apply to the processor.
Both controllers and processors are required to:
- Ensure security: Processing by a processor shall be governed by a binding contract that sets out (i) the instructions that bound the processor, including a description of the “nature and purpose of the processing”; (ii) the type of personal data subject to the processing and the duration of the processing; (iii) the requirements for the processor to adhere to the instructions of the controller and for both to cooperate to ensure security of the processing. Controllers also have a separate obligation to ensure the security of data in transit.
- Enter into contracts with specific language: Processing by a processor shall be governed by a binding contract that sets out (i) the instructions that bound the processor, including a description of the “nature and purpose of the processing”; (ii) the type of personal data subject to the processing and the duration of the processing; (iii) the requirements for the processor to adhere to the instructions of the controller and for both to cooperate to ensure security of the processing.
5- Yes, you should work towards compliance and not only because of the potential fines…
The Colorado Attorney General and district attorneys have exclusive authority to enforce the CPA. Violations are deemed a deceptive trade practice and fines can be up to US$500 per violation, plus actual damages (which can be tripled if bad faith is shown). Injunctive relief is also possible (which basically means the Colorado enforcers can require you to stop doing whatever they believe you are doing wrong.)
Until January 1, 2025 the Colorado DPA will feature a right to cure. That means that prior to enforcement the Colorado Attorney General or district attorney must issue a notice of the violation to the controller and allow sixty days to fix the violation before an action can be brought against you. The right to cure will no longer apply after January 1, 2025.
And yes, fines can be imposed on organizations in the NP/NFP sector.
But it should not be only about penalties. There is a true global trend towards demanding more responsibility from organizations that handle personal data that was, in many ways, ushered in by the GDPR. How you choose to handle data will influence your standing in your community, and being proactive is the only way forward. Encouraging your leadership to start taking steps in this direction will set you up on the right path.