On July 12th, the Colorado Attorney General’s office announced its enforcement of the Colorado Privacy Act (“CPA”) with a bang by sending out informational letters to companies and publishing a tranche of compliance resources.
The letters were not notices of violation, but rather served to inform the recipient about the CPA and urge them to review the law, its applicability thresholds, and its compliance requirements. A sample of the letters is available on the Attorney General’s website. Three types of letters were sent and all followed a similar approach. One of the letter samples appears to focus more on the CPA’s consent requirements for Sensitive Data and children’s data, signaling that the Attorney General’s Office may have felt some companies needed a particular reminder about the law’s consent rules. This letter also stressed that these consent rules apply to collection of this data through pixel tracking and similar technologies, echoing comments made by the FTC and HHS OCR, as I wrote about in a prior blog entry.
The other resources the Attorney General’s Office published included an FAQ, a series of 5-10 minute videos discussing discrete compliance requirements of the CPA, and an article the Attorney General penned for coloradopolitics.com regarding the CPA. We’ll be summarizing the informational videos in an upcoming blog entry. The coloradopolitics.com article tracks previous statements the Attorney General has made regarding the CPA and the Office’s enforcement goals, namely:
Throughout the process, our goal was to create rules that businesses and nonprofits can understand and follow — not set traps or create a “gotcha” game for data controllers. To use a basketball analogy, we are not going to take on those who are trying to implement the law and commit the equivalent of a ticky-tack foul; rather, we are looking to hold accountable those committing flagrant ones, making clear that these rules must be taken seriously.
The above confirms – again (as stated in the FAQ) and based on other nonprofit publications – that the CPA applies equally to both for-profit and non-profit entities. The CPA is unique among newer state privacy laws in that regard (Oregon’s new law provides non-profits a one-year exemption and has other ongoing exemptions for certain types of nonprofits). The above also reiterates, as the Attorney General has indicated in various speaking events (including as relayed by the above nonprofit publication, for example), that the Office’s enforcement priority will focus on more serious violations. Based on his comments, it appears that organizations that make an effort to achieve compliance and perhaps make mistakes along the way, but commit to remedy those mistakes, may fare better than organizations that demonstrate a willful disregard for the CPA, decline to make an effort to comply once informed of violations, or ignore the Office’s communications and fail to respond.
These compliance resources are a welcome addition and will hopefully serve to help covered organizations plan their path toward CPA compliance.