The Colorado Privacy Act (CPA) does not explicitly use the factor of "Offering Goods and Services to Data Subjects" as a standalone criterion for determining the law's applicability. Instead, it incorporates this concept within broader provisions related to conducting business in Colorado and intentionally targeting Colorado residents.

Text of Relevant Provisions

CPA Sec. 6-1-1304(1)(a):

"EXCEPT AS SPECIFIED IN SUBSECTION (2) OF THIS SECTION, THIS PART 13 APPLIES TO A CONTROLLER THAT: (a) CONDUCTS BUSINESS IN COLORADO OR PRODUCES OR DELIVERS COMMERCIAL PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED TO RESIDENTS OF COLORADO;"

CPA Sec. 6-1-1304(3)(a)(VIII):

"THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS PART 13 DO NOT: (a) RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: (VIII) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY A CONSUMER OR THE PARENT OR GUARDIAN OF A CHILD, PERFORM A CONTRACT TO WHICH THE CONSUMER IS A PARTY, OR TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT;"

Analysis of Provisions

The Colorado Privacy Act approaches the concept of offering goods and services to data subjects in two ways:

1. As part of its applicability criteria: The CPA applies to controllers that "conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado". This provision indirectly encompasses the concept of offering goods and services to Colorado residents, making it a factor in determining the law's applicability.
2. As an exemption from certain obligations: The CPA explicitly states that its obligations do not restrict a controller's ability to "provide a product or service specifically requested by a consumer" or "perform a contract to which the consumer is a party". This exemption ensures that the law does not impede normal business operations and contractual obligations.

The CPA's approach differs from some other jurisdictions that explicitly use "offering goods and services" as a standalone criterion for territorial scope. Instead, it focuses on the broader concept of conducting business or intentionally targeting Colorado residents, which would naturally include offering goods and services.

Implications

The implications of these provisions for businesses are significant:

1. Broad applicability: Companies that intentionally target Colorado residents with their products or services may fall under the CPA's jurisdiction, even if they don't have a physical presence in Colorado.
2. Intentional targeting: The use of the phrase "intentionally targeted" suggests that mere accessibility of a website or service from Colorado may not be sufficient to trigger the law's application. Businesses would need to take specific actions to target Colorado residents.
3. Exemption for requested services: The exemption for providing specifically requested products or services allows businesses to fulfill consumer requests and contractual obligations without additional CPA-related restrictions.
4. Threshold requirements: It's important to note that meeting the targeting criterion alone is not sufficient for the CPA to apply. Controllers must also meet one of the thresholds specified in CPA Sec. 6-1-1304(1)(b), such as controlling or processing personal data of 100,000 or more Colorado consumers per year.
5. Contractual performance: The exemption for performing contracts and taking steps prior to entering contracts provides flexibility for businesses in their pre-contractual and contractual interactions with Colorado consumers.

These provisions strike a balance between protecting Colorado residents' data and allowing businesses to operate effectively. Companies offering goods or services to Colorado residents should carefully assess whether their activities constitute intentional targeting and whether they meet the CPA's thresholds to determine if they fall under the law's scope.