SUMMARY
To date, US non-profit organizations have enjoyed an exemption from the state omnibus privacy laws. That’s about to change. Unlike the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), or upcoming state privacy laws in Connecticut and Utah, the new Colorado Privacy Act (CPA), applies to non-profits and takes effect on July 1, 2023. Compliance with the CPA is complex and nuanced, and many non-profits may not have the privacy infrastructure that commercial businesses do, making compliance a heavy lift. To that end, we have compiled a list of key compliance measures businesses should consider when addressing their obligations under the CPA.
The Colorado Privacy Act
As an initial matter, non-profits that meet some specific criteria must comply with the CPA. The CPA applies to legal entities (including non-profits) conducting business in Colorado, or producing or delivering commercial products or services that are intentionally targeted to Colorado residents, that:
- Control or process the personal data of at least 100,000 Colorado consumers during a calendar year; or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processor control the personal data of 25,000 consumers or more.[1]
Thus, by its terms, the definition applies to non-profits that meet either of the processing thresholds. Non-profits may be surprised to learn they process the personal data of enough Colorado consumers to subject them to the CPA. “Personal data” is defined very broadly as “information that is linked or reasonably linkable to an identified or identifiable individual.”[2] This could include many data points beyond the names and addresses of donors.
“Sale” is defined broadly under the law as well. A “sale” under the CPA is “the exchange of personal data for monetary or other valuable consideration.”[3] An organization facilitating a contact list rental or exchange with a partner would likely be determined to be engaging in a “sale” under the law if it received any valuable consideration in return, bringing the total number of Colorado consumers required to meet the threshold to only 25,000. As such, many non-profits are likely to meet the threshold to subject them to the CPA.
New Obligations
If your non-profit falls under the purview of the CPA, it will be subject to a number of new obligations as of July 1, 2023. These include:
Notice
Your non-profit will need to provide a “reasonably accessible, clear, and meaningful privacy notice” that informs Colorado residents of a variety of information about how their personal data is processed, including what types of data are collected, how the data is used and shared, the purposes of the processing of personal data, and how consumers can exercise their data subject rights.[4]
Data Subject Rights
The CPA provides consumers a number of new rights concerning how their data is processed. These include:
- Right to opt-out of certain types of processing;
- Right to access;
- Right to correction;
- Right to deletion;
- Right to data portability.
Your organization will need to implement and operationalize a process for responding to data subject requests (DSRs). Your organization will have 45 days to respond to these requests, but this deadline may be extended by another 45 days if it is “reasonably necessary.”[5]
Sensitive Data
Your non-profit will need to obtain opt-in consent before processing sensitive data.[6] Under the CPA “sensitive data” means (i) personal data “revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status”; (ii) genetic or biometric data that may be “processed for the purpose of uniquely identifying an individual,” OR (iii) personal data from a known child.[7] Many non-profits collect sensitive data because this data directly relates to their mission or goals and they will therefore need to implement new requirements to operationalize the receipt of consent.
Children’s Data
As noted above concerning the definition of sensitive data, your non-profit will also need to obtain consent from the parent or lawful guardian of a known child (defined as “an individual under thirteen years of age[8]”) before processing personal data concerning that child.[9]
Data Protection Assessments
Your non-profit will need to conduct Data Protection Assessments for each processing activity that “presents a heightened risk of harm to a consumer.”[10] Some examples given in the law are (1) targeted advertising; (2) profiling, if it presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, intrusion on seclusion, or other substantial injury; (3) the sale of personal data; and (4) the processing of sensitive data.[11] Colorado lays out very specific requirements for what these assessments should include and how and when they should be completed.[12]
Contracting Requirements
Your non-profit must ensure that its contracts with vendors that process personal data on the non-profit’s behalf include specific requirements, including limiting the processing of personal data to identified purposes, maintaining appropriate security, and assisting with DSRs and Data Protection Assessments.[13]
Security Requirements
Your non-profit must implement and maintain reasonable administrative, technical, and physical data security practices to safeguard personal data.[14]
Data Minimization
Your non-profit must reasonably minimize the amount of data processed as necessary relative to the disclosed purposes of processing.[15] A specific method is not required, but one strategy is to use a data map or similar tool in order to determine how your non-profit currently collects, retains and manages access to personal data by means of a data map or similar tool. This data map may be used to establish and implement a retention schedule for each data type.
Duty to Avoid Secondary Use
Your non-profit must not process personal data for purposes that are not reasonably necessary or compatible with the specified purposes that were disclosed to the consumer, either in a consent or in a privacy notice, unless the consumer consents.[16] If the personal data must be used for a secondary purpose, your non-profit must obtain an additional consent from consumers in advance of processing.[17]
Duty to Avoid Unlawful Discrimination
Your non-profit must not process personal data in violation of state or federal laws that prohibit unlawful discrimination.[18]
Universal Opt-Out Mechanism (as of July 1, 2024)
As of July 1, 2024, your non-profit will need to recognize a universal opt-out mechanism, which could be one of a variety of technical mechanisms (such as a browser signal) that enable the consumer to automatically opt-out of the processing of personal data for either targeted advertising or the sale of personal data.[19]
Fines and Regulatory Penalties
The consequences for failing to comply with the CPA can be stiff. The Colorado Attorney General and local district attorneys are responsible for enforcing the CPA. Violating the CPA is deemed a deceptive trade practice, and fines can be up to $2,000 per violation, per consumer, up to a maximum penalty of $500,000.[20] Upon initiating an action, the Attorney General or district attorney must provide notice to the entity, which then has 60 days to cure the violation. This right to cure is a temporary provision and will end on January 1, 2025.[21]
Non-profits should consider whether the CPA applies to them. If it does, there is no time to lose. Preparing for the CPA may take a significant amount of time, as it may mean creating new workflows and operationalizing many of these processes.
[1] Col. Rev. Stat. § 6-1-1304(1).
[2] Col. Rev. Stat. § 6-1-1303(17).
[3] Col. Rev. Stat. § 6-1-1303(23).
[4] Col. Rev. Stat. § 6-1-1308(1)-(2).
[5] Col. Rev. Stat § 6-1-1306.
[6] Col. Rev. Stat. § 6-1-1308(7).
[7] Col. Rev. Stat. § 6-1-1303(24).
[8] Col. Rev. Stat. § 6-1-1303(4).
[9] Col. Rev. Stat. § 6-1-1308(7).
[10] Col. Rev. Stat. § 6-1-1309.
[11] Col. Rev. Stat. § 6-1-1309(2).
[12] Col. Rev. Stat. § 6-1-1309; see also 4 CCR 904-3 Rule 8.
[13] Col. Rev. Stat. § 6-1-1305(5).
[14] Col. Rev. Stat. § 6-1-1308(5).
[15] Col. Rev. Stat. § 6-1-1308(3).
[16] Col. Rev. Stat. § 6-1-1308(4).
[17] 4 CCR 904-3 Rule 6.08(B).
[18] Col. Rev. Stat. § 6-1-1308(6).
[19] Col. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).
[20] Col. Rev. Stat. § 6-1-1311; see also Col. Rev. Stat. § 6-1-112 (Colorado Consumer Protection Act).
[21] Col. Rev. Stat. § 6-1-1311(d).
[View source.]