More and more states, such as California, Connecticut, Utah, and Virginia, are enacting data privacy laws. For companies that do business in, or collect information on or from individuals residing in, such states, it is imperative that such companies enact or update existing policies, procedures, and agreements that comply with data processing laws specific to the jurisdictions from which the information is collected. For companies doing business in Colorado, or collecting or processing information from Colorado residents, that means complying with Colorado’s revised privacy act, appropriately named the “Colorado Privacy Act“ (C.R.S. 6-1-1301, et seq., the “Act”), which is set to go into effect on July 1, 2023. Among other things, the Act places various responsibilities and obligations on data processors and controllers. The Act also requires that data controllers, processors, and subcontractors use and maintain data processing agreements that include specific provisions and obligations as set forth in the Act.
The Act defines a “controller” as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data.” In contrast, the Act defines a “processor” as a person that processes personal data on behalf of a controller. In practice, whether a person is acting as a controller or processor with respect to a specific set of data is a fact-based determination that depends upon the context in which the personal data is to be processed. In large part, the determination turns on the issue of control: the party that holds the power to determine the purpose and means of processing data will be the controller. Although this generally means a business, website, app, or software owner will be the controller, where a controller delegates power to a processor to determine the means and scope of processing data, or where a processor fails to adhere to a controller’s instruction, the processor can also be considered a controller.
To help illustrate, if an employer (“Company A”) shares employee information, such as home addresses, social security numbers, dates of birth, and direct deposit information, with a third party payroll processing company (“Company B”) to assist with paying the Company A employees, Company A is a data controller and, so long as Company B follows Company A’s directions in managing the personal information for purposes of assisting with payroll, Company B is a processor and not a controller.
Likewise, if the owner of a software-as-a-service platform (“Company C”) collects user information when they subscribe to the platform, and then shares that information with a third party data analysis company (“Company D”) to enable Company D to analyze the information to help Company C gain insight into customer use of the platform, Company C is a controller and, again, so long as Company D follows Company C’s directions in using the personal information, Company D is a processor.
The Colorado Privacy Act places numerous obligations and duties on data controllers, both with respect to the controller’s relationship with consumers and with processors. In dealing with consumers, a controller owes, among other things, a duty of each of the following:
- A duty of Transparency, in the form of a clear privacy policy notice;
- A Duty of Purpose Specification;
- A Duty of Data Minimization;
- A Duty to Avoid Secondary Use;
- A Duty of Care;
- A Duty To Avoid Unlawful Discrimination; and
- A Duty Regarding Sensitive Data.
In meeting its duties, a data controller is required to provide certain notices, such as privacy policies, to consumers. Controllers are also required to implement and maintain various internal processes and procedures for dealing with consumer requests and responding to data breaches. For more information on the practical implications of complying with the various controller duties to consumers, click here.
In large part, the Act requires that processors adhere to the instructions of a controller and assist the controller in meeting its obligations under the Act. To this end, the Act requires that processors:
- Take appropriate technical and organizational measures to help fulfill a controller’s obligations to respond to consumer requests;
- Help meet a controller’s obligations in relation to the security of processing personal data and in relation to the notification of a breach of security; and
- Provide information to a controller as necessary to enable the controller to conduct and document any data protection assessments required by the Act.
Additionally, regardless of a controller’s instructions, a processor must:
- Ensure that each person processing personal data on behalf of, or under, the processor is subject to a duty of confidentiality with respect to the data; and
- Engage a subcontractor only after providing a controller with (1) an opportunity to object and (2) pursuant to a written contract in accordance with the requirements of the Act governing processing contracts.
As noted, the Act requires that both (1) data processing contracts be used and (2) that such data processing contracts meet specific Act-mandated requirement. This is true regardless of whether such contracts govern an agreement or relationship between (i) a controller and a processor, or (ii) a processor and a sub processor. In pertinent part, the Act requires that data processing contracts include, at a minimum, provisions governing the following:
(1) The processing instructions to which the processor is bound, including the nature and purpose of the processing;
(2) The type of personal data subject to the processing, and the duration of the processing;
(3) Duties of confidentiality;
(4) A clear allocation of the responsibilities between the parties with respect to implementing the security measures required of controllers and processors by the Act;
(5) At the choice of the controller, a requirement that the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
(6) A requirement that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations of the Act; and
(7) A requirement that the processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor or, alternatively, that the processor may, with the controller’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor’s expense, an audit of the processor’s policies and technical and organizational measures in support of the obligations under the Act using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable.
The Act also contains an express prohibition on the inclusion of certain waiver provisions in data processing contracts to the extent such provisions attempt to relieve a controller or a processor from the liabilities imposed on them by the Act.
Accordingly, business processing, collecting, analyzing, or controlling data should ensure that data processing agreements are used when entering into relationships with third parties and that such data processing contracts meet the stringent requirements of the Act and any other data processing laws the parties may be subject to.
Because the Act places numerous other obligations and requirements on both controllers and processors when dealing with Colorado consumers’ personal data, and because failure to comply with the Act can result in legal action or penalties being brought or assessed against a non-compliant company, companies that collect, use, sell, store, disclose, analyze, delete, or otherwise modify or use Colorado consumer personal data should, in addition to ensuring the use of proper data processing agreements, take additional steps to help ensure they are in compliance with the Act such as:
- Reviewing current internal business practices and policies to understand what data is collected or processed from consumers and how it is used;
- Ensuring an updated privacy policy is in use and easily available to consumers;
- Ensuring additional notices regarding the company’s data processing practices are in place and made available to consumers, such as opt-out notices, as applicable;
- Ensuring updated internal policies and mechanisms governing internal and third-party data handling are in place and are provided to relevant employees and contractors;
- Ensuring records are properly taken, and retained, documenting compliance with the Act’s requirements, such as with carrying out data processing assessments;
- Ensuring updated internal policies and mechanisms regarding consumer requests and notifications are in place and provided to relevant employees and contractors; and
- Ensuring mechanisms are in place to prevent, and respond to, data breaches, and ensuring that mechanisms are in place to notify affected consumers.