Colorado Privacy Act Controllers
By: Sean Hansen | HR Compliance Coordinator
As everyone is probably beginning to realize, there is nothing simple about the Colorado Privacy Act. In this article, we dove into the rights bestowed on consumers by the CPA. It’s only right we shift focus to the other half of the law: Controllers.
A Quick Recap
We touched on Controllers last time, but in case you forgot (and who could blame you), a ‘Controller’ is defined as a person or business, whether alone or jointly with others, that determines the purposes for and means of processing personal data. For example, retail outlets like Target collect consumer data when they make purchases, so they would be considered a Controller.
A Controller is held responsible under the CPA if they meet two requirements.
First, they have to conduct business in Colorado, or at least produce or deliver commercial products and/or services that are intentionally targeted to residents of Colorado.
Secondly, they have to meet one or both of two thresholds, those being:
1) they control or process the personal data of 100,000 consumers or more during the calendar year, and/or,
2) they derive revenue (or receive a discount on the price of goods and services) from the sale of personal data, and they also process/control the personal data of 25,000 consumers or more.
Now that we have the definitions out of the way, let’s move on to what Controllers are required to do under the CPA.
Transparent as Mud
Everyone has probably experienced going to a website, downloading an app, or something along those lines and getting some sort of privacy notice or terms of conditions. Often times it can feel like we should be asking for a lawyer, and that’s exactly what the CPA is trying to curb. Controllers now have a duty to provide consumers with a privacy notice that is ‘reasonably accessible’ and ‘clear and meaningful’. In order to meet that obligation, a privacy notice has to include the following information:
Categories of personal data collected and/or processed (for example, ‘payment information’, ‘contact information’, or ‘government-issued identification’).
The purpose(s) for why the personal data is being processed. This has to provide the consumer with an understanding for each category of personal data collected.
How the consumer can exercise their rights. This has to include a Controller’s contact information, to allow for the consumer to exercise their right to appeal.
If the Controller shares personal data with third parties, they must state what categories of personal data is shared with them.
If the Controller shares personal data with third parties, they must also state what categories of third parties they share with (for example, ‘data brokers’, ‘third party advertisers’, or ‘analytic companies’).
If the Controller sells personal data, or uses it for targeted advertising, the Controller must ‘clearly and conspicuously’ disclose this information in the privacy notice, as well as a way for the consumer to opt out of the sale.
If the Controller is using the personal data for the purposes of profiling, they must make the required disclosures (see our previous article).
A list of all consumer data rights.
A description of how consumers may submit requests to the Controller in order to assert their data rights, including:
Instructions for the process(es) of submitting requests.
Instructions about how an authorized agent can opt out on a consumer’s behalf.
A clear method to opt out of a consumer’s data being processed.
A description of how a Controller verifies a consumer’s identity when processing a request.
The date the privacy notice was last updated.
What all this means is that these privacy notices have to be clear and accessible for consumers, as well as inform them on how a Controller will be using their information. They also have to inform consumers about the rights they have under the CPA and how they can use them. Controllers also cannot engage in ‘dark patterns’, which we defined in our last article. To summarize, it’s a user interface specifically designed to manipulate a user. There are a lot of manipulative practices that fall under a ‘dark pattern’. If you don’t know what rights consumers have under the CPA, or need a refresh on dark patterns, check out our article we published about it: LINK
Controlling the Narrative
One of the ways the CPA sets out to provide transparency about personal data is ensuring that all disclosures, notifications, and other communications to consumers is understandable to everyone. To do this, communications must be designed around the target audience, considering their vulnerabilities, especially if they are children. Controllers need to avoid language that is not straightforward or that is legal jargon. Any language that is written or presented in a way that is unfair, deceptive, false, or misleading is not allowable.
They also need to be, within reason, accessible to those with disabilities. Controllers should follow the industry standards when it comes to accessibility.
Communications should also come in any language that the Controller provides web pages, disclaimers, contracts, and other information in. For example, if you provide an option for consumers to receive information in Spanish, your disclosures should also come in Spanish.
The Controller has an obligation to provide a readable disclosure across all devices the consumer may regularly interact with them on. This depends on your business, but for example this may mean you need to make sure it is readable on a phone, tablet, or computer.
The Simpler Things in Data Processing
Transparency is, ironically, the most complicated duty to explain, because it has to account for loopholes and underhanded tactics a malicious Controller could use. The other duties imposed on Controllers are much simpler. Controllers have an obligation to:
Specify what purposes they are collecting processing personal data for.
To minimize the data collected. This means the personal data they collect must be relevant and limited to only what is reasonably necessary to fulfill the Controller’s purpose.
The Controller cannot process personal data that is not reasonably related to their purpose, unless they first obtain a consumer’s consent.
Take reasonable measures to secure personal data against unauthorized access. Specifically, the measures have to be appropriate relative to the volume and scope of the personal data being processed.
In this same vein, they must also implement appropriate technical and organization measures on a level that is appropriate to the risk. They must also have a clear allocation of responsibilities for each Controller or processer to implement said measures.
Controllers cannot violate any state or federal law relating to discrimination when collecting or processing personal data.
Sensitive data cannot be processed without first obtaining consent (Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition/diagnosis, sex life/sexual orientation, citizenship/citizenship status, genetic or biometric data that can be processed for the purpose of uniquely identifying an individual, or personal data from a known child).
Breaking that down, Controllers have to have a purpose for using your personal data, and they have to stick to it. Any deviation isn’t allowed without your express permission, especially when it comes to sensitive data. Once they have your data, Controllers have to make sure it’s reasonably protected. They also cannot violate any other laws when collecting or processing data, which is one of those things that’s obvious, but has to be in there.
Data processing is hard to understand, and malicious actors taking your data without permission or tricking you into consenting doesn’t make it any easier. The CPA strives to make this easier for consumers, by empowering them with rights, and putting the obligation on the Controller to inform the consumer about how their data will be used. As always, consider reaching out to Vida HR and inquire about our HR services if you’re unsure about how the CPA will affect you.
Colorado Privacy act controllers