Our products enable customers to comply with the requirements of the Colorado Privacy Act (the “CPA”). The CPA takes effect on July 1, 2023; however, until January 1, 2025, the Colorado Attorney General will issue a notice of violation prior to taking any enforcement action, and companies that cure the violation within sixty days will not be subject to an enforcement action.

The CPA, very generally, requires businesses to:

• Provide transparent notices on how they collect, use, and sell data.
• Specify the purpose(s) for collecting personal data and limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.
• Respect a consumer’s right to request information and access their personal data and provide copies of personal data to consumers in a readily usable and easily transferrable electronic format.
• Respect a consumer’s right to request erasure or correction of their personal data.
• Respect a consumer’s right to opt out of data selling, targeted advertising, or certain kinds of profiling.
• Maintain records about consumer right requests received by the business.
• Provide a clear and conspicuous link on the business’s Internet website that enables a consumer to exercise their consumer rights.
• Recognize and honor a consumer’s use of a universal opt-out mechanism (effective July 1, 2024).
• Take special precautions when processing sensitive data or children’s data.
• Implement and maintain reasonable security measures to protect personal data.
• Conduct and document data protection impact assessments for processing of personal data that presents a heightened risk of harm to consumers.
• Take certain measures with respect to protecting de-identified data.

The CPA applies to both for-profit and nonprofit organizations doing business in Colorado that: (a) control or process the personal data of 100,000 consumers or more during a calendar year, or (b) derive revenue or receive a discount on goods or services from the sale of personal data, and control or process the personal data of 25,000 consumers or more.

The CPA excludes certain types of data, such as patient identifying information under HIPAA and personal data regulated by FERPA.

Please consult with your organization’s legal counsel to determine your compliance obligations under the CPA.

When Blackbaud receives customers’ constituent data in connection with the Blackbaud Solutions, we are acting as a service provider. If we receive an access request, an opt-out request, or a request to delete or correct from a consumer regarding personal information that we collect or hold on a customer’s behalf, we will inform the consumer that it should submit the request directly to such customer.

Many of the CPA requirements are to be fulfilled by the organization outside of our solutions. We have provided instructions on how an organization can correct, delete, or de-identify personal data within a solution and query data in a solution to respond to access requests. See the Product Documentation section of this site for information on how to accomplish these tasks in your solution.

For solutions that provide an organizational homepage to a customer, you can include and self-title a hyperlink at the bottom of the homepage that will link to your site for handling privacy requests. In addition, such homepage will respect the opt-out preference signal Global Privacy Control.

Solutions containing constituent records will allow customers to flag constituent records as having opted out of sale or targeted advertising.

Our solutions that collect data directly from your constituents will allow you to include a link directly to your organization’s privacy notice. Where needed, you can provide certain information to a constituent at the time the data is collected by linking to the specific section in your privacy notice that contains this information.

We have made changes here at Blackbaud for our own compliance with the CPA, particularly with respect to our Data Intelligence business. We have prepared new privacy notices, implemented mechanisms for individuals to submit consumer rights requests, and readied our engineers to create robust subject access reports upon request. Blackbaud acts as a data controller when it provides Data Intelligence services, including Target Analytics®, and accordingly will comply with Colorado consumers’ access requests, deletion requests, correction requests, and opt out requests. Individuals who opt out of the sale of their data will be excluded from the data sets we use for customer data enrichment services.

While the information provided above is reliable, it does not constitute legal advice and should not be construed as legal advice or a legal opinion on any specific facts or circumstances.