Wiland Blog

Who is Governed by the CPA?

The CPA applies to organizations doing business in Colorado that meet one of two criteria. Either they process the personal data₂ of at least 100,000 Colorado residents during a calendar year, or they derive revenue or receive a discount on the price of goods or services from the “sale”₃ of personal data and “process” the data of at least 25,000 Colorado residents. Depending on the scope of a nonprofit organization’s marketing and outreach program in Colorado, it could easily meet one of these two thresholds.

While nonprofit organizations might not consider their fundraising efforts to fall under the term “conducting business,” the CPA does not define exactly what that term means. The general consensus among privacy professionals is that the CPA applies to both for-profit and nonprofit organizations that meet the law’s thresholds for processing personal data. This is in part because, unlike the new Virginia law that the CPA closely resembles, the CPA does not provide an explicit exemption for nonprofits.

Organizations might be surprised to learn that they process enough data of Colorado residents to be subject to the law. Beyond just the number of donors in Colorado, an organization would also need to look at the number of Colorado residents whose data is received for other purposes, such as donor prospecting, mission outreach, volunteer activities, analytics, and other sources. For example, an organization doing any kind of list rental or exchange (which would likely constitute a “sale” under the CPA) that had 25,000 or more consumer records in total across all of those types of activity would be subject to the CPA.

What Does the CPA Require?

Organizations governed by the CPA must extend a set of basic consumer rights to Colorado residents:

• The right to access information about their personal data that the organization processes
• The right to have their personal data deleted
• The right to correct inaccurate personal data held about them by the organization
• The right to opt out of the sale of their personal data and to opt out of targeted advertising online₄
• The right not to have “sensitive personal data” processed unless the organization has the consumer’s clear, specific, opt-in consent

The CPA contains a number of additional requirements as well. Organizations governed by the CPA must:

• Specify all purposes for which they process personal data
• Implement an appropriate level of security for personal data
• Conduct what are commonly known as “privacy impact assessments”₅ in several different scenarios, including in which there is targeted online advertising or the sale of personal data
• Ensure that their contracts with service providers include specific requirements such as limiting their processing of personal data to identified purposes, maintaining appropriate security, and committing to assist with privacy assessments
• Reasonably minimize the amount of data processed as necessary relative to the disclosed purposes of processing

How Can Nonprofits Prepare Now?

The CPA goes into effect on July 1, 2023, and no time should be lost when it comes to preparing. Experience has shown that getting ready for this type of law can take a significant amount of time, as it often means creating new workflows and implementing new technological solutions. Therefore, nonprofits should not wait to begin. The following are steps that they can take now:

1. Consider how they receive and use “sensitive personal data.” Under the CPA (and the new Virginia law as well), some basic demographic data about a consumer’s race, nationality, or religion is considered sensitive, which is a departure from prior United States consumer privacy laws. Unless these laws were to change significantly before they become effective in 2023, their strict opt-in requirements will make it much harder to know and leverage this kind of data for people in these states. If fundraisers think that these requirements could impact their ability to accomplish their missions or goals, they should consider working with industry groups to explain to legislators how they use this demographic data for good. Please contact privacy@wiland.com for more information on how to help.
2. Start by identifying (or “mapping”) the personal data within their organizations, how they receive it, how they use it, and how they share it.
3. Convene the right stakeholders in all of these efforts and designate responsibility. An organization’s use of consumer data is about more than just compliance with the CPA or any other law. It is about ethics and brand. Nonprofit organizations should make sure that they have input from their marketing teams, executive teams, advisors, and technologists in addition to their legal and compliance teams. Organizations should task an individual or team to be responsible for coordinating the CPA compliance process and the ongoing privacy-related efforts of the organization.
4. Review their disclosures to consumers. The CPA requires specific disclosures about the types of data that organizations collect and how they use and share it, and it prohibits uses that are not reasonably necessary or compatible with the disclosed purposes. Organizations should carefully ensure that their disclosures are accurate and complete as well as aligned with overall consumer messaging.
5. Review their data security practices. This is required by the CPA and is always recommended given the reputational risk of data security issues.
6. Work with their service providers to ensure that their contracts meet CPA requirements and that they have workflows to assist in responding to consumer rights requests. Wiland is preparing for these new laws now, and Wiland clients can contact their Client Success representatives with any questions on how we can work together as these new laws come into effect.

Disclaimer: Of course, each nonprofit must be the final judge of its policies, and each organization is solely responsible for its data privacy disclosures and practices. The information contained within this blog post does not constitute legal advice, and Wiland strongly encourages all nonprofit organizations and clients to check with their own legal counsel with respect to any legal questions.

₁ “Process” is broadly defined in the CPA as basically any interaction with a consumer’s personal data, including collecting, using, storing, disclosing, analyzing, deleting, or modifying the data.
₂ “Personal Data” under the CPA is broadly defined as any information that is “linked or reasonably linkable to an identified individual,” and is not lawfully made available from government records to the general public.
₃ “Sale” in the CPA is defined similarly to the definition in the California Consumer Privacy Act as exchanging personal data for monetary or other valuable consideration.
₄ The CPA also includes the concept that a consumer may opt-out using a technological solution often referred to as a “global privacy control,” an online tool that sends a signal to a website or app indicating the desire to opt out. The Colorado Attorney General is tasked by the CPA with developing rules detailing technical specifications for how these tools are to function by July 1, 2023.
₅ These are called “data protection assessments” in the CPA.