Colorado Privacy Act: Exceptions

Colorado Privacy Act (CPA) application and definitions, consumer rights, and privacy notice requirements were discussed in July 2021 in "Colorado Privacy Act: Application, Definitions, Rights, and Notices." CPA controller and processor responsibilities, controller-processor contracts, data protection assessments, de-identified data, and Colorado attorney general and district attorney enforcement were discussed in "Colorado Privacy Act: Controllers, Assessments, Data, and Enforcement." This article discusses exceptions to the CPA.

The CPA does not apply to the following.

• Protected health information that is collected, stored, and processed by a covered entity or its business associates
• Healthcare information that is governed by Part 8 of Article 1 of Title 25 solely for the purpose of access to medical records
• Patient identifying information, as defined in 42 C.F.R. § 2.11, that is governed by and collected and processed pursuant to 42 C.F.R. § 2, established pursuant to 42 U.S.C. § 290dd-2
• Identifiable private information as defined in 42 C.F.R. § 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 C.F.R. § 46; identifiable private information that is collected as part of human subjects research pursuant to the good clinical practice guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. § 50 and § 56 or personal data used or shared in research conducted in accordance with the requirements set forth in the CPA or other research conducted in accordance with one or more categories set forth in Col. Rev. Stat.§ 6-1-1304(2)(d)
• Information and documents created by a covered entity for purposes of complying with the Health Insurance Portability and Accountability Act and its implementing regulations
• Patient safety work product, as defined in 42 C.F.R. § 3.20 that is created for purposes of patient safety improvement pursuant to 42 C.F.R. § 3, established pursuant to 42 U.S.C. §§ 299b-21 to 299b-26
• Information that is de-identified in accordance with the requirements for de-identification in 45 C.F.R. § 164 and derived from any of the healthcare-related information described in Col. Rev. Stat.§ 6-1-1304
• Information maintained in the same manner as information under Col. Rev. Stat.§ 6-1-1304(2)(a) to (2)(g) by the following.
  • Covered entity or business associate;
  • Healthcare facility or healthcare provider; or
  • Program of a qualified service organization as defined in 42 C.F.R. § 2.11
• An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency as defined in 15 U.S.C. § 1681a (f), a furnisher of information as set forth in 15 U.S.C. § 1681s-2 that provides information for use in a consumer report, as defined in 15 U.S.C. § 1681a (d) or a user of a consumer report as set forth in 15 U.S.C. § 1681b, but only to the extent that the activity is regulated by the federal Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal Fair Credit Reporting Act, as amended
• Personal data that includes the following.
  • Collected and maintained for purposes of Article 22 of Title 10;
  • Collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
  • Collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;
  • Regulated by the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or
  • Regulated by the federal Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §§ 1232g et seq., as amended, and its implementing regulations
• Data maintained for employment records purposes
• An air carrier as defined in and regulated under 49 U.S.C. §§ 40101 et seq., as amended, and 49 U.S.C. § 41713, as amended
• A national securities association registered pursuant to the federal Securities Exchange Act of 1934, 15 U.S.C. § 78o-3, as amended, or implementing regulations
• Customer data maintained by a public utility as defined in § 40-1-103 (1)(a)(I) or an authority as defined in § 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used, except as authorized by state and federal law
• Data maintained by a Colorado institution of higher education, as defined in § 23-18-102 (10), Colorado, the judicial department of Colorado, or a county, city and county, or municipality, if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes (Col. Rev. Stat.§ 6-1-1304(2)(o) does not effect any other exemption available under the CPA)
• Information used and disclosed in compliance with 45 C.F.R. §164.512
• A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 C.F.R. § 1016

The obligations imposed on controllers or processors under the CPA do not do the following.

• Restrict a controller's or processor's ability to do the following.
  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;
  • Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
  • Conduct internal research to improve, repair, or develop products, services, or technology;
  • Identify and repair technical errors that impair existing or intended functionality;
  • Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller;
  • Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
  • Protect the vital interests of the consumer or of another individual;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems or investigate, report, or prosecute those responsible for any such action;
  • Process personal data for reasons of public interest in the area of public health but solely to the extent that the processing is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed and is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or
  • Assist another person with any of the activities set forth in Col. Rev. Stat.§ 6-1-1304(3)
• Apply where compliance by the controller or processor with the CPA would violate an evidentiary privilege under Colorado law
• Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication
• Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law
• Apply to the processing of personal data by an individual in the course of a purely personal or household activity

Personal data that are processed by a controller pursuant to an exception provided by Col. Rev. Stat. § 6-1-1304 must do the following.

• Must not be processed for any purpose other than a purpose expressly listed in Col. Rev. Stat.§ 6-1-1304 or as otherwise authorized by the CPA and
• Must be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in Col. Rev. Stat.§ 6-1-1304 or as otherwise authorized by the CPA

If a controller processes personal data pursuant to an exemption in Col. Rev. Stat. § 6-1-1304, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements of Col. Rev. Stat. § 6-1-1304(4).