By Janelle M. Lewis, Attorney, Business & Legal Strategic Consultant

Consumer Rights to Privacy Expanding State by State

Consumer rights to their data are expanding in the U.S state by state. First it was California, then it was Virginia and now it is Colorado. On July 7th, 2021, the Colorado Privacy Act (CPA) was signed into law. Similar to the CPRA and the CDPA, the CPA creates consumer rights by restricting what businesses can do with the personal data they collect from Colorado residents. This includes the right to opt-out of the processing of their personal data for the purposes of: targeted advertising, the sale of personal data, or the profiling of their data. As with the CPRA and the CDPA, the CPA also gives Colorado residents the right to access, correct, and delete their personal data, as well as data portability. 

How the CPA differs from the CPRA and the CDPA in two Aspects of Notice and Data Processing 

“Duty of Purpose Specification” 

The responsibility of businesses differs between the CPA and the CPRA and the CDPA. Under the CPA, businesses are expressly required to “…specify the express purposes for which personal data are collected and processed,” whereas under the CPRA, businesses “…should specifically and clearly inform consumers about how they collect and use their data…” Similar to the CPRA, the CDPA states that businesses should “[l]imit the collection of personal data to what is adequate, relevant, and reasonably necessary in relations to the purposes for which such data is processed, as disclosed to the consumer.” 

“Duty to Avoid Secondary Use”

While the CPRA and the CDPA restricts businesses from processing the data collected in a way that is not “reasonably necessary” or “reasonably compatible”  with what was disclosed to the consumer without consent, the CPA is much more explicit in their restrictions. Under the CPA, there is an express “duty to avoid secondary use” which means that businesses are restricted from processing personal data “…for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed…” without consent.

Under these two requirements, the CPA expands the data privacy rights of Colorado consumers via the requirement that businesses become more transparent in their data collection and processing activities.

CPA Expanding Data Privacy Rights of Consumers by Requiring More Transparency

The CPA goes a step further than the CPRA and the CDPA in expanding consumer rights to their personal data. The biggest difference between the CPA and the CPRA and the CDPA is the the “duty to avoid secondary use” under the specific notice requirement.  Under the CPA, businesses “…must express to the consumers of the state exactly why it is they are collecting their personal data and what they plan to do with their data. The more detailed notice requirement coupled with the “duty to avoid secondary use” both requires businesses to clearly express their data collection intentions when giving notice to Colorado consumers and restricts what businesses can do with the data after it is collected,  thus prohibiting data processing that is outside of the notice they initially provided (without consent). 

Under these two requirements, the CPA expands the data privacy rights of Colorado consumers via the requirement that businesses become more transparent in their data collection and processing activities. Businesses that collect the data of Colorado consumers must be clear in their reason and not simply disclose or inform consumers about their data collection and processing activities. Establishing “the duty to avoid secondary use” further expands consumer rights to data privacy by expressly assigning responsibility to business to engage in data processing activities that are aligned with the notice they gave to consumers. Without consent, businesses cannot deviate from the specified purposes that they originally stated in their notice to consumers. This results in Colorado consumers having more opportunities to get notice and give their consent to how their data is processed after the original collection of their data. 

Without consent, businesses cannot deviate from the specified purposes that they originally stated in their notice to consumers. This results in Colorado consumers having more opportunities to get notice and give their consent to how their data is processed after the original collection of their data. 

Click here to learn more about Janelle, her background, and her professional services.