Sep 01 2021

Should Higher Ed Be Worried About the Colorado Privacy Act?

A data privacy lawyer from the Dorsey & Whitney law firm’s Denver office sheds light on how the CPA will impact universities across the country.

Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law in July, making Colorado the third U.S. state to pass comprehensive data security legislation.

The CPA resembles similar privacy legislation, including Virginia’s Consumer Data Protection Act, as well as some aspects of the European Union’s General Data Protection Regulation (GDPR).

Although the Colorado law won’t go into effect until July 1, 2023, Deb Howitt, a partner at the Dorsey & Whitney law firm’s Denver office, says higher education institutions should begin preparing for similar legislation across the country. “Numerous states are currently in the process evaluating their data privacy and security legislation, so we anticipate several other state bills to pass into laws this year,” she says.

Howitt, who specializes in data privacy and cybersecurity, says that public, private and for-profit institutions may face different requirements in terms of the CPA. Enforcement may also depend on how many Colorado-based students an institution serves.

In a Q&A with EdTech: Focus on Higher Education, she explains the exceptions and enforcement scenarios that higher education leaders should be aware of.

LEARN MORE: See how CDW can help customers navigate new data protection regulations.

EDTECH: If a university outside of Colorado serves students who are learning remotely from Colorado, does the Colorado Privacy Act apply?

HOWITT: In principle, yes. The CPA could apply to educational institutions outside of Colorado. The CPA applies to any entity that conducts business in Colorado or targets its services to Colorado.

But it’s important to know that it applies to businesses that control or processes the personal data of at least 100,000 Colorado consumers during a calendar year (or 25,000 consumers, if the company sells personal data).

There are many exceptions. “Consumers” includes any individual who is acting in an individual or household capacity. but it excludes individuals acting in an employment or commercial context (such as B2B roles). Given the data volume threshold, it’s likely that even if a higher ed institution targeted Colorado, it could fall below these thresholds.

Additionally, the commercial and employee exemption likely excludes another significant portion of an institution’s handling of personal data: data that involves the institution’s employees, independent contractors, vendors, etc. These would be outside the scope of the CPA.

If an institution does meet the consumer volume threshold, two more exceptions are still likely relevant for higher ed.

First, the CPA excludes any data regulated by FERPA. Therefore, most student records processed in the ordinary course of business are likely to fall outside the scope of the CPA.

Second, the CPA does not apply to any data maintained by a state higher ed institution, as long as the data is processed in accordance with any authorizations under state or federal law and is used for noncommercial purposes.

There is no general nonprofit exemption in the CPA. So, some private or for-profit higher ed institutions may be subject to the CPA’s requirements, whereas public institutions are not.

In light of these exceptions, most higher ed institutions’ data processing operations relating to students, employees, and commercial/B2B relationships are likely out of scope. However, it is possible that certain marketing activities (such as online advertising, marketing, ticketing and events/athletics) could remain in scope if the institution meets the volume requirements. These would involve data processing related to consumers, and the relevant data would not be classified as a student record.

MORE ON EDTECH: To protect student data, know the difference between security and privacy.

EDTECH: What are some common issues that universities and colleges might encounter during enforcement?

HOWITT: As of now, it is unclear what specific elements of the new law will most likely be enforced. Looking at how the GDPR and similar laws are enforced, key focus areas will likely be:

  • The handling of sensitive categories of information
  • Vendor management issues and security compliance
  • Noncompliance with rights requests (in particular, opt-out rights)

If enforcement occurs, institutions are likely to be subject to regulatory reviews of internal policies, procedures and their general compliance practices, with a focus on institutional understanding of the risks and obligations relating to their handling of personal data.

As the laws continue to evolve, there will be uncertainties and a learning curve for many institutions. That said, regulators are likely to take into account the amount of effort that organizations put into compliance, especially the effort to understand data flows and data processing risks. They want to see there are procedures in place to mitigate risk and ensure data is used appropriately and securely.

EDTECH: Colorado is not nearly as overwhelmed with enforcement as California and Europe are, which raises the chances of enforcement. Do you have any insights on that?

HOWITT: For now, Colorado’s enforcement is limited, and the scope and reach of Colorado’s laws may not be as broad as privacy laws in California and Europe. We anticipate that the Colorado Attorney General’s office will increase its data privacy staff.

It is important to note that district attorneys in Colorado can also enforce the CPA, which could result in greater enforcement.

However, there may be an increase in coordinated actions by the state attorneys general to enforce common state law provisions against multistate actors, following similar multistate approaches seen in state consumer protection and antitrust actions.

Since most of these state laws are new, we have yet to see how common enforcement will be. Many laws are either not in force or have been in force for only a limited time, so aggressive action is less likely. If enforcement proves to be popular with consumers or the public, then we may see an increase in enforcement across the board.

Austin Chambers, an associate attorney at Dorsey & Whitney, contributed to research and analysis.

anyaberkut/ iStock / Getty Images Plus

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.