Colorado Privacy Act: Sectoral Exceptions Regulated by Other Laws

The factor of Sectoral Exceptions Regulated by Other Laws is used in determining the law's applicability by exempting data processing activities that are already governed by specific regulations with established data protection standards, thereby preventing duplicative regulation for sectors such as healthcare, finance, and research.

Text of Relevant Provisions

CPA Sec.6-1-1304(2)(q):

"(2) THIS PART 13 DOES NOT APPLY TO: (q) A FINANCIAL INSTITUTION OR AN AFFILIATE OF A FINANCIAL INSTITUTION AS DEFINED BY AND THAT IS SUBJECT TO THE FEDERAL "GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ., AS AMENDED, AND IMPLEMENTING REGULATIONS, INCLUDING REGULATION P, 12 CFR 1016."

CPA Sec.6-1-1304(2)(j)(III):

"(2) THIS PART 13 DOES NOT APPLY TO: (j) PERSONAL DATA: (III) COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL "DRIVER'S PRIVACY PROTECTION ACT OF 1994", 18 U.S.C. SEC. 2721 ET SEQ., AS AMENDED, IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS REGULATED BY THAT LAW, INCLUDING IMPLEMENTING RULES, REGULATIONS, OR EXEMPTIONS;"

CPA Sec.6-1-1304(2)(j)(IV):

"(2) THIS PART 13 DOES NOT APPLY TO: (j) PERSONAL DATA: (IV) REGULATED BY THE FEDERAL "CHILDREN'S ONLINE PRIVACY PROTECTION ACT OF 1998", 15 U.S.C. SECS. 6501 TO 6506, AS AMENDED, IF COLLECTED, PROCESSED, AND MAINTAINED IN COMPLIANCE WITH THAT LAW; OR"

CPA Sec.6-1-1304(2)(j)(V):

"(2) THIS PART 13 DOES NOT APPLY TO: (j) PERSONAL DATA: (V) REGULATED BY THE FEDERAL "FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974", 20 U.S.C. SEC. 1232g ET SEQ., AS AMENDED, AND ITS IMPLEMENTING REGULATIONS;"

Analysis of Provisions

The Colorado Privacy Act (CPA) includes several provisions that exempt data processing activities regulated by other laws. For example, CPA Sec.6-1-1304(2)(q) exempts financial institutions and their affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA). Similarly, CPA Sec.6-1-1304(2)(j)(III), (IV), and (V) exempt personal data collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994, the Children's Online Privacy Protection Act of 1998, and the Family Educational Rights and Privacy Act of 1974, respectively.

These exemptions are designed to prevent duplicative regulation and ensure that entities subject to these specific regulations are not also subject to the CPA. For instance, a financial institution that is already complying with the GLBA would not need to also comply with the CPA for the same data processing activities.

Implications

The inclusion of these exemptions has significant implications for businesses in Colorado. For example, a healthcare provider that is subject to the Health Insurance Portability and Accountability Act (HIPAA) would not need to comply with the CPA for the same data processing activities. Similarly, a financial institution that is subject to the GLBA would not need to comply with the CPA for the same data processing activities.

However, it is important to note that these exemptions only apply to the specific data processing activities regulated by these laws. If a business engages in data processing activities that are not regulated by these laws, they would still need to comply with the CPA.

For example, a financial institution that collects personal data for marketing purposes would still need to comply with the CPA, even if they are exempt from the CPA for data processing activities regulated by the GLBA.