Colorado Privacy Act has been written into law, making Colorado the third US state with comprehensive privacy laws.
The Colorado Privacy Act has recently been signed into law, giving comprehensive privacy laws to the residents of Colorado for the first time. Colorado is now the third US State to enact such laws, with theirs being very similar to those which came before it, with a few key differences. Unlike the California Consumer Privacy Act (CCPA), the CPA has adopted a WPA-like controller / processor approach, instead of a business / service provider perspective. This new law is said to look very familiar to this year’s Consumer Data Protection Act (CDPA) in Virginia, with a slightly broader scope.
The Colorado Privacy Act is intended to apply to businesses trading with Colorado residents acting only in an individual or household context.
The CPA applies to any data controller that conducts business in Colorado, as well as delivers commercial products targeted at the residents of Colorado, that meets the following requirements:
- The business controls or processes personal data of at least 100,000 consumers during a single calendar year.
- The business derives revenue or receives a discount from the sale of personal data, and processes all controls the personal data for at least 25,000 consumers.
According to the CPA, “consumer” refers to a Colorado resident, acting only as an individual or in a household context. This omits individuals acting in a commercial or employment context or a beneficiary thereof, or as a job applicant. Like the CDPA controllers, operating under the CPA do not need to consider employee personal data as applicable under this law.
The CPA applies to the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
Under the CPA, both monetary consideration and any other valuable consideration exchanged for personal data is considered the sale of personal information. Unlike the CDPA, the sale is not only defined by the exchange of monetary considerations. The sale described here excludes several types of disclosures. These include disclosures to a processor that is processing personal data on behalf of a data controller, disclosures to a third party for the purpose of providing a product or service requested by a customer, disclosures to an affiliate of the controller’s, as well as disclosures to a third party as part of a proposed or actual merger, acquisition, bankruptcy or another transaction in which the third party controls some or all of the controller’s assets.
Deidentified data and publicly available information are not covered by the scope of the CPA’s definition of personal data.
The CPA does not cover any publicly available information or deidentified data. The CPA defines publicly available data as “any information that is lawfully made available from … government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.” These are both explicitly excluded from the CPA as is the case with the CDPA. Other exempt data under this law falls under two categories, entity-level exemptions and data-level exemptions. The entity level exemptions are broader and exempt controllers from the need to comply with CPA obligations and rights on data collected, even when the data would otherwise be included. For example the primary entity level exemption under the CPA applies to entities which are already regulated by the Gramm-Leach-Blilet Act for financial institutions.
The Colorado Privacy Act provides five main rights to the consumer.
The CPA provides five main rights for the consumer. These include the right of access, right to correction, right to delete, right to data portability, and the right to opt out. The right of access gives consumers the right to confirm whether a controller is processing personal data concerning them and the right of access to that personal data. Under the CPA consumers are also given the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purpose of the processing. Consumers also have the right to delete their personal data. According to the right to data portability, consumers must be able to obtain their personal data in a portable and readily usable format which allows them to transmit the data to another entity without hindrance, where technically feasible. The CPA also gives consumers the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling for decision-making that may produce legal or similarly significant effects concerning them.
There are several obligations to be fulfilled by controllers and processors under the CPA.
The CPA imposes several obligations on controllers. These include the duties of transparency, purpose specification, data minimization, care, avoidance of secondary use, avoidance of unlawful discrimination, data protection assessments, data processing contracts, and specific duties regarding sensitive data. The CPA requires a controller to provide consumers with a reasonably accessible, clear and meaningful privacy notice. If their data is sold to a third-party or processed for targeted advertising, the controller will have to clearly and conspicuously disclose the sale of processing as well as give consumers the means to opt out. Controllers must specify the express purposes for which they are collecting and processing personal data at the time of the collection of this personal data. The CPA also institutes a policy of data minimization requiring controllers to only collect personal data that is adequate, relevant and limited to what is reasonably necessary for the specified purposes of the collection and processing. In addition, Data controllers are not allowed to process personal data for purposes that are not reasonably necessary to, or compatible with the specified purposes for which it was collected, neither are controllers allowed to process sensitive data without consent. Data protection assessments and contracts are a necessary part of a controller’s obligations under the CPA. The CPA requires that processing must be governed by a contract between the controller and the processor.
Does your company have all of the mandated safeguards in place to ensure compliance with the CCPA, CPA, GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides GDPR ,Data Protection Act 2018 and comparative law consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
SCCs and Privacy Shield replacement are both of paramount importance to trans-Atlantic data flows, however, right now the focus may be more on new SCCs.
Almost one year since the CJEU “Schrems II” decision, a new EU-US privacy shield may still be far off. However, with Standard Contractual Clauses being upheld and used quite frequently to facilitate cross border data flows, new SCCs can be expected soon. According to this IAPP article, new SCCs may be here within a matter of weeks. Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission said “We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy”.
The new Standard Contractual Clauses are expected to be here in short order, and the Commission considers the feedback received on the draft SCCs.
Since the Schrems II decision, SCCs have been upheld, but with a few caveats. They have been put to use to facilitate data flows between the EU and the US, however this has not been without incidence. While privacy professionals wait for conclusive information regarding data flows across the Atlantic, there have been some recent developments. Bruno Gencarelli, during IAPP’s Global Privacy Summit Online, said that the new Standard Contractual Clauses will soon be adopted. Gencarelli, based on the feedback the European Commission received, called the draft SCCs an “enormous success”, with the Commission taking this feedback very seriously. The ongoing process is intended to modernize the SCCs to better suit the current digital climate’s size and complexity.
“This is a much awaited step forward which once in place will help to unify the dissimilar criterion that EU Supervisory Authorities have been applying since Schrems II when it comes to international data transfers, as we have recently seen with the Bavarian and French DPAs decisions” comments Cristina Contero Almagro, Aphaia’s Partner.
Privacy Shield replacement negotiation is intensifying, but a privacy shield replacement may still be far off.
While there is a willingness on each side to make a deal on a replacement for Privacy Shield, it is a balancing act between privacy and national security, making this a delicate, and complex situation. As we have seen since Schrems II, SCCs, while very useful, may not always be enough. As each side seeks to create a durable replacement for Privacy Shield, one that can stand up to legal challenges and political scrutiny, talks are underway for a solution that will meet the needs of both parties with regards to both privacy and national security.
Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing. Contact us today.
A recent CCPA update includes two amendments signed into law, with further proposed modifications possible.
The California Consumer Privacy Act (CCPA) is changing according to this recent article from IAPP. In September, the California Attorney General, Xavier Becerra highlighted the need for privacy law in the United States. His testimony was presented during the Senate Commerce, Science and Transportation Committee hearing, taking advantage of the context of federal legislation on the subject.
The secretary underscored the different approach that his office can take to the application of the CCPA, and also the future that privacy issues should have in law. In addition to the statements, the California Legislature had already approved several bills with privacy implications prior to this update.
Becerra confirmed that since July 1 (compliance date of the CCPA), his office “began to work.” The secretary’s team wants to issue notices to prevent companies with privacy policies from breaking the law. In other words, correct companies that include the “Do Not Sell Links to My Personal Information”.
In his statements, the secretary mentioned the recent lawsuits against Uber (2018), Equifax (2019), and Glowde September (2020). The Attorney General’s Office recently settled a case with Anthem regarding a 2014 data breach for $8.69 million.
What changes were made to the CCPA?
Statements in the written testimony are not limited to a private right of action. The secretary identified other ways to strengthen consumer privacy rights, noting that the CCPA “could go further.” Among the proposals are:
The secretary suggested making the CCPA’s disclosure requirements more specific. Companies offer “source categories” to collect personal information or “third party categories” to sell the information. Instead, by requiring specific disclosures such as company names, sources, or recipient of the information, consumers can know how much was shared.
Becerra maintains that the duty should be imposed to use a consumer’s personal information according to the purposes. That is the fines for which the consumer will obtain their collection, always respecting the interests of the person. Especially with sensitive information, such as precise geolocation.
Right to rectification
A highlight of the CCPA update is the ability to correct for consumers. For example, rectify personal information collected, to reduce the risk of spreading erroneous data.
Protection of civil rights
There is a need for “clear lines on what is an illegal use of data from the context of the protection of civil rights”. What is important about this is that the testimony provides relevant information from the Attorney General’s perspective. Specifically, on expanding privacy protections for California consumers.
What does the future hold?
There is a pending vote initiative from the California Privacy Rights Act that could boost enforcement. With a tentative date in November, a new enforcement agency could be created. This agency would have $5 million in the fiscal year 2020-21 and another $10 million thereafter. The creation and funding of the California Privacy Protection Agency would go into effect immediately, but most of the CPRA’s practices begin in 2023.
At the moment the best thing is to see how the landscape of California privacy law progresses, including the activity of CCPA enforcement. Also, it is necessary to be aware of the CPRA voting initiative and the third set of proposed modifications to the CCPA regulations issued by the OAG.