The governor of Colorado on July 7 signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA), making Colorado the third state after California and Virginia to enact comprehensive consumer data privacy legislation.
While the CPA will be impactful for auto lenders, the law provides a significant exemption for data collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to explain how they share and protect their customers’ private information. Whether the data is pursuant to the GLBA will ultimately depend on the timing of collection, including whether the data is collected before or after a borrower applies for credit.
The CPA applies to “controllers” and “processors” of personal data. A controller is a person that determines the purposes for and means of processing personal data; a processor is defined as a person that processes data on behalf of a controller. The CPA broadly defines “processing” to include the collection, use, sale, storage, disclosure, analysis, deletion or modification of personal data.
As such, an auto lender that determines how or why personal information is collected or used may be considered a controller under the CPA.
The CPA applies to “controllers” of personal data including auto lenders who:
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado; and
- Either control or process the personal data of 100,000 Colorado consumers or more during a calendar year, or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 consumers or more.
Consumers’ personal data rights
The CPA creates new personal data rights for Colorado consumers. Consumer rights under the CPA include:
- The right to opt out of the processing of personal data for certain purposes;
- The right of access to confirm whether a controller is processing the consumer’s personal data and to access the consumer’s personal data;
- The right to correct inaccuracies in the consumer’s personal data; and
- The right to delete personal information, and the right to data portability.
Consumers may exercise these rights by submitting a request to a lender specifying which rights the consumer wants to exercise. A lender must respond to the request to inform the consumer of the action taken. The controller must act without “undue delay” or no later than 45 days after receipt of the request. This holds true unless the controller notifies the consumer that they have extended that period, and the reasons for delay, within 45 days of receipt of the request. If the controller takes no action in response to the request, it must also notify the consumer within 45 days of the reasons for not acting, along with instructions for how to appeal the decision.
A lender is not required to comply with a consumer’s request to exercise a right under the CPA if the lender is unable to validate the consumer’s identity to authenticate the source of the request using commercially reasonable efforts.
Duties of controllers
The CPA provides a list of specific duties applicable to auto lenders under the law as controllers of personal data. In addition to exercising care and transparency, controllers also have a duty to specify a purpose for using a consumer’s data; restrict collection of data to what is adequate, relevant and reasonably necessary; avoid secondary use of data; and avoid unlawful discrimination against consumers. The CPA also specifies that a controller must not process a consumer’s “sensitive data,” as defined under the CPA, without first obtaining the consumer’s consent, or parental consent for a child under age 13.
The CPA lists people and information exempt from the scope of the law, including notable exemptions with respect to the GLBA. The law exempts: data collected, processed, sold or disclosed pursuant to the GLBA if done in compliance with the GLBA; and any financial institution or affiliate as defined by the GLBA.
Thus, any data collected after the GLBA applies to the transaction — i.e., after the consumer makes a request for a prequalified offer or applies for credit — will not be subject to the CPA. For example, data collected during the loan application process, origination or servicing would be exempt under the CPA. However, any personal data a vehicle dealer or lender collects from passive website visitors before the consumer applies for credit will be subject to the CPA notwithstanding the GLBA exemption.
Other exemptions include information created to comply with the Health Information Portability and Accountability Act (HIPAA); certain activities regulated by the Fair Credit Reporting Act (FCRA); data regulated by the Children’s Online Privacy Act; data regulated by the Family Educational Rights and Privacy Act; and data maintained for employment record purposes.
Personal data processed pursuant to an exemption may only be processed for a purpose specifically authorized by the CPA. Processing of personal data must be necessary, reasonable and proportionate to the specific purpose.
The Colorado attorney general and Colorado district attorneys have exclusive authority to enforce the Colorado CPA. There is no private right of action under the CPA. Note that before an enforcement action is commenced, the attorney general or district attorney must issue a notice of violation to the lender or controller for an opportunity to cure or rectify the situation, if it is deemed possible. The controller has 60 days after receipt of the notice to cure the violation. In addition, any violation of the CPA is considered a deceptive trade practice under Colorado law.
The CPA becomes effective on July 1, 2023. The Colorado attorney general must also adopt rules by that date to detail and explain certain aspects of it, including the opt-out mechanism for consumers. By January 1, 2025, the attorney general will adopt rules governing the process of issuing opinion letters and interpretive guidance.
Although the effective date of the law is almost two years away, auto lenders covered under the CPA as controllers should act now to build consumer data tracking and mapping procedures to ensure that compliance procedures are in place. Moreover, with several other states currently considering their own data privacy legislation, lenders should be prepared for the enactment of additional state data privacy laws.
Paul Lysobey is an associate at McGlinchey. He advises clients on compliance with the Truth in Lending Act (TILA), Fair Debt Collection Practices Act (FDCPA), Servicemember Civil Relief Act (SCRA), Fair Credit Reporting Act (FCRA), and the Equal Credit Opportunity Act (ECOA).
Auto Finance Summit, the premier industry event, returns October 27-29 in Las Vegas. The Summit continues to bring together the best and brightest in the industry year after year for unparalleled networking and professional education. To learn more about the 2021 event and register, visit www.AutoFinanceSummit.com.