Colorado AG Proposes Draft Amendments to the Colorado Privacy Act Rules

On September 13, 2024, the Colorado Attorney General’s (AG) Office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The proposals include new requirements related to biometric collection and use (applicable to all companies and employers that collect biometrics of Colorado residents) and children’s privacy. They also introduce methods by which businesses could seek regulatory guidance from the Colorado AG.

The draft amendments seek to align the CPA with Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, both of which were enacted earlier this year and will largely come into effect in 2025. Comments on the proposed regulations can be submitted beginning on September 25, 2024, in advance of a November 7, 2024, rulemaking hearing.

In Depth


PRIVACY OF BIOMETRIC IDENTIFIERS & DATA

In comparison to other state laws like the Illinois Biometric Information Privacy Act (BIPA), the CPA proposed draft amendments do not include a private right of action. That said, the proposed draft amendments include several significant revisions to the processing of biometric identifiers and data, including:

  • Create New Notice Obligations: The draft amendments require any business (including those not otherwise subject to the CPA) that collects biometrics from consumers or employees to provide a “Biometric Identifier Notice” before collecting or processing biometric information. The notice must include which biometric identifier is being collected, the reason for collecting the biometric identifier, the length of time the controller will retain the biometric identifier, and whether the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor alongside the purpose of such disclosure. This notice must be reasonably accessible, either in a standalone disclosure or, if embedded within the controller’s privacy notice, a clear link to the specific section within the privacy notice that contains the Biometric Identifier Notice. This requirement applies to all businesses that collect biometrics, including employers, even if a business does not otherwise trigger the applicability thresholds of the CPA.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent from the data subject before selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric information. The amendments also allow employers to collect and process biometric identifiers as a condition for employment in limited circumstances (much more limited than Illinois’s BIPA, for example).

PRIVACY PROTECTIONS FOR CHILDREN’S ONLINE DATA

The draft amendments also include several updates to existing CPA requirements related to minors:

  • Delineate Between Consumers Based on Age: The draft amendments define a “child” as an individual under 13 years of age and a “minor” as an individual under 18 years of age, creating additional protections for teenagers.
  • Update Data Protection Assessment Requirements: The draft amendments expand the scope of data protection assessments to include processing activities that pose a heightened risk of harm to minors. Under the draft amendments, entities performing assessments must disclose whether personal data from minors is processed as well as identify any potential sources and types of heightened risk to minors that would be a reasonably foreseeable result of offering online services, products, or features to minors.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent before processing the personal data of a minor and before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature.

OPINION LETTERS AND INTERPRETIVE GUIDANCE

In a welcome effort to create a process by which businesses and the public can understand more about the scope and applicability of the CPA, the draft amendments:

  • Create a Formal Feedback Process: The draft amendments would permit individuals or entities to request an opinion letter from the Colorado AG regarding aspects of the CPA and its application. Entities that have received and relied on applicable guidance offered via an opinion letter may use that guidance as a good faith defense against later claims of having violated the CPA.
  • Clarify the Role of Non-Binding Advice: Separate and in addition to the formal opinion letter process, the draft amendments provide a process by which any person affected directly or indirectly by the CPA may request interpretive guidance from the AG. Unlike the guidance in an opinion letter, interpretive guidance would not be binding on the Colorado AG and would not serve as a basis for a good faith defense. Nonetheless, a process for obtaining interpretive guidance is a novel, and welcome, addition to the state law fabric.

WHAT’S NEXT?

While subject to change pursuant to public consultation, assuming the proposed CPA amendments are finalized, they would become effective on July 1, 2025. Businesses interested in shaping and commenting on the draft amendments should consider promptly submitting comments to the Colorado AG.

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.
© 2022 ArentFox Schiff LLP

Colorado Privacy Act: New Protections for Consumers in the Centennial State

On July 1, 2023, the Colorado Privacy Act (CPA) will go into effect as the third state law generally governing consumer data privacy and was the second enacted in 2021.  If you do business with consumers in Colorado, regardless of your location, you should begin familiarizing yourself with the requirements of the CPA now.  While the CPA is similar to the California Privacy Rights Act (CRPA) and Virginia’s Consumer Data Privacy Act (VCDPA), certain elements distinguish the Colorado law from its counterparts.  Unlike the California law, the CPA does not apply to personal data in the employee or business-to-business relationship.  This client alert provides a breakdown of the general requirements and obligations on businesses and key distinctions with other state data privacy laws.

Covered Businesses and Applicability

Covered ControllersThe CPA applies to any business, called a “controller” under the statute, who “alone, or jointly with others, determines the purposes for and means of processing personal data,” and “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and:

  • Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

There are a number of exemptions to the applicability provision that should be considered as part of the analysis of applicability.  First, the definition of consumers does not include “individual[s] acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” Second, the Act does not apply to certain types of personal data, as defined by the type of data, such as patient data, or as defined by the statute by which the collection and use of the data is regulated such as Gramm-Leach-Bliley.  Third, the Act does not apply to certain types of businesses, such as air carriers, public utilities (as defined by Colorado Law), or those subject to Gramm-Leach-Bliley. Notably, there is no revenue threshold requirement, meaning an applicability analysis begins by looking at the number of records processed.

Covered Individual To reiterate, the CPA does not apply to employee data, which, like the VCDPA means a consumer is a Colorado resident acting only in an individual or household context.

Personal DataThe CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual,” but does not include “de-identified data or publicly available information,” including data “that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”  This definition is similar to the VCDPA.

Controller and Processor Obligations

If the CPA is applicable to a controller then they, and their processors (a person that processes personal data on behalf of a controller) must adhere to a set of obligations.  The CPA sets out an analysis for determining whether a person is acting as a controller or a processor.

Obligations and Duties of Controllers

Under the Act, controllers must:

  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Comply with the duty of transparency by providing notice of the sale of personal data and the ability to opt out and by providing “a reasonably accessible, clear, and meaningful privacy notice” that includes:
    • Categories of personal data collected/processed;
    • Purpose(s) of processing;
    • How consumers may exercise rights and appeal controller’s response to consumer’s request;
    • Categories of personal data shared; and
    • Categories of third parties personal data is shared with;
  • Respond to the consumer’s exercise of their rights;
  • Comply with the duty of purpose specification;
  • Comply with the duty of data minimization;
  • Comply with the duty to avoid secondary use;
  • Comply with the duty of care that is appropriate to the volume, scope, and nature of the personal data processed.
  • Comply with the duty to avoid unlawful discrimination;
  • Process sensitive data only with the consent of the consumer. Sensitive data is “(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child;”
  • Perform data protection assessments before beginning processing activities that present a heightened risk of harm to a consumer – certain situations of targeted advertising or profiling, selling personal data, and processing sensitive data are activities that present a heightened risk of harm; and
  • Engage processors only under a written contract, which shall include the type of personal data processed and other requirements under the CPA.

Obligations of Processors

Under the Act, processors must:

  • Assist controllers in meeting their obligations under the CPA;
  • Adhere to instructions of controller and assist controller in meeting those obligations, including security of processing and data breach notification;
  • Ensure a duty of confidentiality for each person processing personal data; and
  • Engage subcontractors pursuant to a written contract and only after providing the controller an opportunity to object.

Rights of Consumers

Like the VCDPA and CPRA, the CPA includes a suite of rights which consumers may request with respect to their personal data:

  • Right of access;
  • Right to correction;
  • Right to delete;
  • Right to data portability;
  • Right to opt out, including specifically  of targeted advertising or the sale of personal data; and
  • Right to appeal, including the right to contact the attorney general if the appeal is denied.

Within forty-five days of receipt of a request, a controller must respond by (a) taking action on the request, (b) extending the time for taking action up to an additional forty-five days, or (c) by not taking action and providing the instructions for an appeal.  Information provided under a first request within a 12 month period must be at no charge to the consumer.  Controller’s may implement processes to authenticate the identity of consumers requesting rights.

Enforcement of the CPA

There is no private right of action under the CPA with enforcement authority delegated to both the Colorado attorney general and district attorneys.  The CPA doubles the cure period granted to controllers provided under the VCDPA and CPRA to 60 days; however, the entitlement to a cure period will sunset on January 1, 2025.  Under the CPA a violation is a deceptive trade practice under the Colorado Consumer Protection Act, such that while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act specifies a penalty of up to $20,000 per violation.

What’s Next

If the CPA is the first data protection legislation applicable to your organization, the time to transition your team– IT, marketing, legal – is now.  Delays in implementation are likely and could be costly.

 

This article was written by Lucy Tyson, Brittney E. Justice and Matthew G. Nielson of Bracewell law firm. For more articles regarding privacy legislation, please click here.

The Natural Segue between Tax Compliance & Estate Planning: Jennifer Tolsky Promoted to Partner at Gould & Ratner

Jennifer Tolsky was recently promoted to partner with the law firm of Gould & Ratner in the Tax & Wealth Transfer Group.  Tolsky is a CPA whose tax knowledge augments her legal practice, giving her a heightened awareness of tax concerns with estate planning, wealth transfer strategies and business succession planning.  Tolsky blends experience in tax compliance with an understanding of the personal nature of estate planning to provide nuanced and well-rounded counsel to clients of Gould & Ratner.

The Importance of Tax Compliance to  Estate Planning

Although “technically” Tolsky received her law degree first, she points out that she began her career as a CPA.  For Tolsky, her work as an attorney is built on a foundation of tax compliance knowledge.  The recession of 2008 influenced her career trajectory, and she says, “My dad, who is also a CPA, urged me to pursue an advanced degree in accounting due to the job shortage.”  This led to work in tax compliance, and she was able to marry the two by becoming an associate at Gould & Ratner.  Tolsky says, “Tax law is ever changing and evolving, and I enjoy the challenges it brings.  My accounting background, and specifically, my tax compliance background, informs my legal practice on a daily basis.”

Tolsky sees her current area of practice in the Tax & Wealth Transfer group as a “natural segue” from her previous experience in tax compliance.  She says, “I always consider how an issue I am reviewing or a provision I am drafting will impact a tax return, as well as how items will be executed once implemented . . . because of my previous role in tax compliance, I was able to see many of the issues I deal with currently manifest themselves in the ‘real world’.”  This practical familiarity is ideal in such a personal area of law such as estate planning, where there is a premium on tax efficiency and clients appreciate an in-depth understanding of the nuances of their individual situations.

With tax laws constantly changing, the challenges confronting estate planning clients continue to evolve.  Tolsky sees her role as an advisory one, helping her clients understand how the changes can impact them on multiple levels.  For example, the increased federal exemption on estate taxes, which has increased steadily since 1997, and according to the Tax Policy Center, the federal estate tax impacted the tax returns of less than 0.1 percent of the 2.7 million people who passed away in 2018.  However, other issues are still in play for clients.  Tolsky says, “Although the increased exemption may allow an individual’s estate to pass estate tax-free, there are other issues, such as probate, creditor protection, and ensuring that your assets pass according to your wishes.”  While the playing field is constantly changing, a strong foundation in tax compliance provides real-world expertise for Tolsky as she guides her clients through these issues.

Value of Relationships with Estate Planning, Wealth Transfer and Business Succession Clients

Estate planning is an area of the law that can get very personal for individuals, and Tolsky knows how important it is that client concerns are addressed with an eye to all the issues in play.  She works to establish trust with her clients by understanding their concerns as well as their goals, and finding solutions that deliver on both as efficiently as possible.  She says, “Due to the individual nature of estate planning, relationships are important, and I believe that’s the best way to invest in building your book of business.” John Mays, the Managing Partner of Gould & Ratner, says, “she [Jennifer Tolsky] brings a wealth of experience to the firm and is a pleasure to work with on matters very personal and thus very important to our clients.”

Copyright ©2019 National Law Forum, LLC.
This post was written by Eilene Spear of the National Law Review.
Read more Business of Law news on our Law Office Management page.