Colorado was the third US state to pass a comprehensive data privacy law when the Colorado Privacy Act (CPA) was signed into law by Governor Jared Polis on July 7, 2021.
In effect since 2023, this Colorado law aims to protect the privacy of state residents, granting them the right to refuse the sale and use of personal data and the right to access, correct, and delete their data.
It outlines various requirements covered businesses must follow, like making a privacy policy and using data protection assessments for certain processing activities.
Below, I summarize the CPA for you and explain how it impacts businesses, your consumers, and steps you can take to meet the requirements of this U.S. state privacy law.
- What Is the Colorado Privacy Act (CPA)?
- Colorado Privacy Law Key Terms & Definitions
- Who Must Comply With the Colorado Privacy Act?
- Consumer Rights Under the Colorado Privacy Act
- How is the Colorado Privacy Act Enforced?
- Colorado Privacy Act Penalties and Fines
- Colorado Privacy Act Requirements
- How To Comply With the Colorado Privacy Act
What Is the Colorado Privacy Act (CPA)?
The Colorado Privacy Act is a consumer privacy protection law modeled after laws like the:
- Virginia’s Consumer Data Protection Act (VCDPA),
- California’s Consumer Privacy Act (CCPA)
- California’s Privacy Rights Act (CPRA).
- General Data Protection Regulation (GDPR)
However, the CPA includes a few crucial differences.
In general, the CPA applies to all entities (for-profit and not) that meet certain thresholds regarding the amount of consumers’ data they process or control. But unlike Virginia’s data protection act, the Colorado law doesn’t require a revenue threshold.
In Virginia and California, non-profit organizations are exempt from data protection laws, but in Colorado, they are not.
Violating the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act.
Colorado Privacy Law Key Terms & Definitions
Let’s take a look at how the CPA defines specific terms we’ve come to know from existing data privacy laws.
Controllers
Most of the new requirements are on “controllers” — a person who, alone or jointly with others, determines the purposes and means of processing personal data.
The CPA only applies to controllers that conduct business in Colorado or target Colorado residents with their offers of goods or services. These businesses also need to meet certain thresholds to be required to comply with CPA.
Consumers
According to the CPA, “consumers” are defined as Colorado residents acting in their individual or household capacities.
However, under the CPA, individuals operating in a business or work context, job candidates, and beneficiaries of someone acting in a commercial or employment context are not considered “consumers.”
Personal Data
The CPA defines “personal data” as any information linked to a distinguishable person within reason and does not include de-identified data (data in which personal identifying information is removed) or publicly available information.
Who Must Comply With the Colorado Privacy Act?
The CPA requirements are applicable to controllers who conduct business in Colorado or sell products/services to residents of the state and meet one or more of the following:
- Processes or controls the personal data of more than 100,000 consumers annually
- Derives revenue or receives discounts from the sale of personal data and control or process data of at least 25,000 consumers
Because the CPA defines “sale” as the exchange of personal data by a controller for money or “any other valuable consideration” to a third party, it applies to many businesses.
The phrase “other valuable consideration” is ambiguous and open to interpretation.
It suggests that a reduction in the price of products or services may be considered valuable consideration, possibly qualifying the disclosure of personal data as a sale.
For example, providing your personal data to a business using free cloud-based software could be categorized as a discount. Unless the exchange of data falls under one of the exceptions under the law’s definition of “selling,” this could be considered a sale of personal data.
Whose Exempt From the Colorado Privacy Act?
While non-profit organizations are not exempt from the CPA, Colorado’s law does provide other exemptions.
For example, the CPA does not apply to personal data maintained by the business for commercial (b2b) or employment records purposes or job applicant data and data regarding a beneficiary of someone acting in an employment context.
Like the CCPA, the CPA also does not apply to protected health and healthcare information.
Furthermore, compliance with Colorado’s law is not obligatory for all businesses or companies. For example, companies that don’t reach the thresholds noted above — essentially those who don’t process the data of enough Colorado residents annually — are exempt.
The following organizations are also exempt from the Colorado Privacy Act:
- Airlines
- Public utilities
- Organizations that process de-identified personal data
- Organizations that process data for records of employees
- Organizations that process data for Colorado Health Insurance laws
- Organizations that fall under the Health Insurance Portability and Accountability Act
- Colorado’s government organizations
- Organizations that are subject to the Fair Credit Reporting Act
- Organizations that fall under the Family Educational Rights and Privacy Act
- Financial institutions that fall under the Gramm-Leach-Bliley Act
- Organizations that fall under the Children’s Online Privacy Protection Act
- Consumer reporting agencies
- Institutions of higher education
Consumer Rights Under the Colorado Privacy Act
The rights provided under the Colorado law are essentially identical to those provided by the VCDPA or the CCPA and include the following.
Opt out of data processing
A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer
A decision producing a legal or similarly significant effect may affect a person’s legal status or legal rights or has an equivalent impact on an individual’s circumstances, behavior, or choices. In extreme cases, it might exclude or discriminate against the affected person.
Examples of such profiling may include:
- The analysis of personal data to predict individual behavior relating to their financial status, health, personal preferences, education, employment, housing, insurance, or access to basic necessities.
Colorado’s law places a requirement on controllers to establish a straightforward method for consumers to enforce their rights. It must be in the business’ privacy notice and in an easily accessible location outside of that notice.
The Colorado Attorney General also provided technical requirements for a universal opt-out mechanism which apply to both the sale of data and targeted advertising.
Access personal data
Consumers are entitled to know whether a business controls and processes their data. If a particular business processes personal data, the consumer has a right to access that data.
Correct any incorrect data
Colorado consumers have the right to correct inaccuracies in data collected about them.
Delete personal data
Colorado consumers have the right to delete personal data concerning the consumer.
Receive personal data through portable means
Consumers have the right to receive their data in a portable and easy-to-use format, permitting them to share that data with a third party if required.
Controllers are also required to allow consumers to use a “user-selected universal opt-out mechanism.” The CPA recognizes Global Privacy Controls as a valid way to opt out of the sale of personal data for companies that accumulate private data from consumers on the internet.
Honoring data subject requests
You must make it easy for customers to contact you and respond to their requests promptly.
This can be a time-consuming task for smaller organizations, especially if these practices are not automated, and business data gets stored in various locations.
But under Colorado law, you must develop mechanisms to accept, track, verify, and honor consumer requests so that they can exercise their access, correction, and deletion rights.
How is the Colorado Privacy Act Enforced?
Colorado’s data privacy law is enforced by the Colorado Attorney General and district attorneys.
Like Virginia’s privacy law, the CPA does not offer a distinct right of action for the consumers. Before any enforcement action, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible.
The controller is allowed 60 days to review an alleged violation and rectify it. This period is known as the “cure period.”
However, this 60-day cure period will cease to exist after January 18, 2025.
Colorado Privacy Act Penalties and Fines
A violation of CPA is considered a deceptive trade practice.
Penalties fall under the scope of the Colorado Consumer Protection Act and range from $2,000 to $20,000 per violation.
Violations under the Colorado Consumer Protection Act can also lead to criminal liability.
Colorado Privacy Act Requirements
To stay compliant with the CPA, make sure you follow these important steps:
Map Your Data
If you’ve determined that your company is not exempt from the Colorado Privacy Act, map your data to ensure you understand how data flows through your organization.
You must understand what data you’re processing and for what purpose to fulfill data subject requests and determine how long you should keep that data in your systems.
Data mapping is an ongoing process, so you should conduct regular reviews of the personal data you process and update the documentation accordingly.
It is strongly advised to always document your processing activities in writing in a granular way with links between the different pieces of information. To stay compliant, you’ll need to understand where your information comes from and how it’s used.
Update Your Privacy Policy
To comply with the CPA, you should revise and update your privacy policies to include personal data processing activities, the rights available to consumers, and identify the mechanisms for consumers to exercise those rights.
Use Termly’s privacy policy generator if you need help creating a policy that aligns with the CPA notification obligations.
Perform Data Protection Assessments
It is recommended that companies carry out data protection assessments regularly.
These assessments should evaluate how your company utilizes and processes any private information and, more importantly, the risks involved with processing that data.
Some companies are required to perform these assessments under the CPA, especially if you process lots of data or sensitive personal information.
Implement a Universal Opt-Out Mechanism.
Users must be able to opt out of the selling of their personal information using a universal opt-out mechanism, like Global Privacy Controls.
As of July 1, 2024, businesses must implement a universal opt-out mechanism selected by the user to satisfy the technical requirements under Colorado’s law.
Implementing a consent mechanism for collecting sensitive data from consumers is also crucial.
Controllers that collect sensitive data from users must obtain certified and explicit approval.
In addition, Colorado privacy laws states that consent does not imply endorsement of the general terms of use, the use of obscure patterns or overlays, the silence, shutdown, or deactivation of content.
Therefore, you may also need to develop explicit, affirmative action by which the consumer signifies agreement to the processing of personal data.
The web page, application, or other means by which a controller obtains a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.
Appoint a Data Protection Officer
Appoint a data protection officer to lead regular training programs to ensure employees can handle consumer inquiries in a timely, consistent manner that fulfills the CPA requirements.
The data protection officer will also make sure your company’s data privacy policy is fully compliant with the law.
How To Comply With the Colorado Privacy Act
Colorado’s privacy law profoundly affects businesses, and trying to navigate this complex network of rules can feel complicated.
At Termly, we focus on data privacy regulation and best business practices for the modern digital professional and make compliance with these regulations simpler and more economical.
We offer our users a selection of legal policy generators — which include privacy policies, terms and conditions, disclaimers, cookie policies, return policies, and shipping policies — and a cookie consent manager to help businesses align with the CPA and more.
Contact our team today to help get your company on the right track.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
