Banner artwork by Bernulius / Shutterstock.com
Although nonprofit organizations are not subject to some of the recent US state privacy laws, like the California Consumer Privacy Act, or its successor, the California Privacy Rights Act, or the new Virginia, Utah, or Connecticut acts, they will need to comply with the new Colorado Privacy Act (CPA) which goes into effect on July 1, 2023.
This may be a surprise for US nonprofit organizations that have generally not had to focus as much on privacy compliance in a post CCPA/CPRA landscape, though the CPA concepts are not new to those that are already GDPR compliant.
Below is a brief summary of the CPA and what nonprofit organizations should do to prepare to be compliant, following up on prior articles about the new US privacy laws.
The Colorado Privacy Act
The CPA applies to legal entities that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado (essentially “controllers”) that:
- Control or process the personal data of at least 100,000 consumers or more during a calendar year; or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
There is no revenue threshold, unlike the California laws, but there are exclusions for individuals acting in a commercial or employment context, like job applicants.
To comply with the CPA, nonprofits need to provide consumers with clear privacy notices and conduct data protection impact assessments (DPIA’s) for any personal data processing that presents a “heightened risk of harm” to consumers. Being required to conduct DPIAs may be a new requirement for nonprofits in the United States, and there are proposed rules being drafted regarding implementation of the CPA to expand upon the requirements.
Consumers’ right to opt-out
Colorado consumers will have the right to opt-out of the processing of personal data for targeted advertising, or for the sale of such data. This is particularly important for nonprofits that engage in targeted advertising through their websites, or engage with list brokers in what may be considered to be a sale of information.
Consumers will also have the right to:
- Access their personal data;
- Correct inaccuracies;
- Request deletion of their data;
- Request that “sensitive personal data” is not processed without clear, specific opt-in consent;
- Appeal decisions made about their data; and
- Obtain their data in a portable format.
Nonprofits will have to respond to consumers within 45 days of receiving an opt-out request.
Duties of data controllers
In addition, as controllers, nonprofit organizations will have to comply with certain duties:
- Duty of Transparency: clearly informing consumers about the use of their data;
- Duty of Data Minimization: only collecting data that is reasonably necessary for the purpose;
- Duty of Purpose Specifications: specify the purpose of collection and processing;
- Duty to Avoid Secondary Use: only using data for the stated purpose without getting additional consents;
- Duty of Care: ensuring security of data in storage and from unauthorized acquisition;
- Duty to Avoid Unlawful Discrimination;
- Duty Regarding Sensitive Data: requiring an opt-in consent to process sensitive information.
The CPA can be enforced by the Colorado attorney general and district attorneys, and they will issue a notice of violation giving the controller nonprofits 60 days to cure (through January 1, 2025).
Nonprofit organizations should begin to prepare for compliance with the CPA by conducting DPIAs, reviewing their privacy policies, as well as their data management and security practices for information they retain about Colorado residents.