Colorado Privacy Act (CPA)

Joining California and Virginia, Colorado is now the third US state to pass a comprehensive data privacy law. The Colorado Privacy Act (CPA) was signed into law by Colorado Governor Jared Polis on July 7, 2021 — its effective date is July 1, 2023.

This addition to Colorado law aims to protect the privacy of Colorado residents. Once in effect, the new Colorado privacy law will require certain entities that conduct business or produce products targeted to Colorado residents to provide various personal data privacy rights.

These include the right to refuse the sale and use of personal data and the right to access, correct, and delete personal data.

The CPA will also require businesses to provide privacy policy disclosures and create data protection assessments for certain processing activities. This is an important step in keeping businesses in check and individuals safe.

Let’s take a look at what you need to know about Colorado’s new data privacy law.

What Is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act is modeled after Virginia’s Consumer Data Protection Act (CDPA), California’s Consumer Privacy Act (CCPA), and California’s Privacy Rights Act (CPRA). It was also inspired by the EU’s General Data Protection Regulation (GDPR), which includes requirements on data processors, like “mandatory data protection assessments.”

However, the CPA includes a few crucial differences.

In Virginia and California, non-profit organizations are exempt from data protection laws, but in Colorado, they are not. In general, the CPA applies to all entities (for-profit and not) that meet certain thresholds regarding the amount of consumers’ data they process or control. But unlike Virginia’s data protection act, the Colorado law doesn’t require a revenue threshold.

The Colorado act also does not apply to employee or business-to-business (B2B) data.

As per Colorado’s law, the Attorney General or state district attorneys have the power to fill any significant gaps in the statute. In addition, they may establish rules to ensure compliance and are also in control of enforcing the law.

Who Must Comply With the New Colorado Privacy Act?

The Colorado Privacy law has derived some of its terminology from the EU’s GDPR — the world’s strictest data privacy law. Let’s take a look at how the CPA defines specific terms we’ve come to know from existing data privacy laws.

Controllers

Most of the new requirements are on “controllers” — a person who, alone or jointly with others, determines the purposes and means of processing personal data.

The CPA only applies to controllers that conduct business in Colorado or target Colorado residents with their offers of goods or services. These businesses also need to meet certain thresholds to be required to comply with CPA.

Consumers

According to the CPA, “consumers” are defined as Colorado residents acting in their individual or household capacities. However, under the CPA, individuals operating in a business or work context, job candidates, and beneficiaries of someone acting in a commercial or employment context are not considered “consumers.”

Personal Data

The CPA defines “personal data” as any information linked to a distinguishable person within reason and does not include de-identified data (data in which personal identifying information is removed) or publicly available information.

So, who needs to comply with the Colorado Privacy Act?

The CPA requirements are only applicable to controllers who conduct their business in Colorado or sell products — or services — to residents of Colorado and meet one or more of the following thresholds:

• Processes or controls the personal data of more than 100,000 consumers annually
• Derives revenue or receives discounts from the sale of personal data and control or process data of at least 25,000 consumers

The second threshold is distinct in Colorado’s law and will potentially apply to more businesses compared to the laws in Virginia and California.

The reason for this is because the CPA defines “sale” as the exchange of personal data by a controller for money or “any other valuable consideration” to a third party.

The phrase “other valuable consideration” is ambiguous and open to interpretation. It suggests that a reduction in the price of products or services may be considered valuable consideration, possibly qualifying the disclosure of personal data as a sale.

For example, providing your personal data to a business using free cloud-based software could be categorized as a discount. Unless the exchange of data falls under one of the exceptions under the law’s definition of “selling,” this could be considered a sale of personal data.

What Rights Does the Colorado Privacy Act Grant for Consumers?

The rights provided under the Colorado law are identical to those provided by the CDPA or the CCPA and include:

Opt out of data processing

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:

• Targeted advertising
• Sale of personal data
• Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer

A decision producing a legal or similarly significant effect may affect a person’s legal status or legal rights or has an equivalent impact on an individual’s circumstances, behavior, or choices. In extreme cases, it might exclude or discriminate against the affected person.

Examples of such profiling may include the analysis of personal data to predict individual behavior relating to their financial status, health, personal preferences, education, employment, housing, insurance, or access to basic necessities.

Colorado’s law places a requirement on controllers to establish a straightforward method for consumers to enforce their rights. It must be in the business’ privacy notice and in an easily accessible location outside of that notice.

The Colorado Attorney General is expected to provide technical requirements for a universal opt-out mechanism by July 1, 2024. The universal opt-out will allow consumers to click a single button to exercise all opt-out rights. This global opt-out should apply to both sales of data as well as targeted advertising.

Access personal data

Consumers are entitled to know whether a business controls and processes their data. If a particular business processes personal data, the consumer has a right to access that data.

Correct any incorrect data

Colorado consumers have the right to correct any inaccuracies in the data collected about them.

Delete personal data

Colorado consumers have the right to delete personal data concerning the consumer.

Receive personal data through portable means

Consumers have the right to receive their data in a portable and easy-to-use format, permitting them to share that data with a third party if required.

Colorado’s Attorney General will establish these regulations by July 1, 2023. At that date, controllers are required to allow consumers to use a “user-selected universal opt-out mechanism.” Similar to California’s regulations, the CPA recognizes Global Privacy Controls as a valid way to opt out of the sale of personal data for companies that accumulate private data from consumers on the internet.

Honoring data subject requests

You need to make it easy for customers to contact you and respond to customer requests promptly.

This can be a time-consuming task for smaller organizations, especially if these practices are not automated, and business data gets stored in various locations. But under Colorado law, you must develop mechanisms to accept, track, verify, and honor consumer requests so that they can exercise their access, correction, and deletion rights.

Is Anyone Exempt From the Colorado Privacy Act?

While non-profit organizations are not exempt from the CPA, Colorado’s law does provide other exemptions.

For example, the CPA does not apply to personal data maintained by the business for commercial (b2b) or employment records purposes or job applicant data and data regarding a beneficiary of someone acting in an employment context.

Like the CCPA, the CPA also does not apply to protected health and healthcare information.

Furthermore, compliance with Colorado’s law is not obligatory for all businesses or companies. For example, companies that don’t reach the thresholds noted above — essentially those who don’t process the data of enough Colorado residents annually — are exempt.

The following organizations are also exempt from the Colorado Privacy Act:

• Airlines
• Public utilities
• Organizations that process de-identified personal data
• Organizations that process data for records of employees
• Organizations that process data for Colorado Health Insurance laws
• Organizations that fall under the Health Insurance Portability and Accountability Act
• Colorado’s government organizations
• Organizations that are subject to the Fair Credit Reporting Act
• Organizations that fall under the Family Educational Rights and Privacy Act
• Financial institutions that fall under the Gramm-Leach-Bliley Act
• Organizations that fall under the Children’s Online Privacy Protection Act
• Consumer reporting agencies
• Institutions of higher education

Colorado Privacy Act Enforcement

Colorado’s new data privacy law is further distinct from the other states’ laws because it is enforceable by the Colorado Attorney General and by district attorneys.

Like Virginia’s privacy law, the CPA does not offer a distinct right of action for the consumers. Before any enforcement action, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible.

Before enforcement gets initiated, the controller is allowed 60 days to review an alleged violation and rectify it. This period is known as the “cure period.”

However, this 60-day cure period — double the cure period provided under the CCPA and CDPA — will only be effective for the first 18 months. It will cease to exist after January 18, 2025.

Colorado Privacy Act Penalties and Fines

At this point, a violation of CPA is considered a deceptive trade practice, but no specific fines have been determined.

For now, penalties fall under the scope of the Colorado Consumer Protection Act and range from $2,000 to $20,000 per violation.

How to Meet Colorado Privacy Act Requirements

To stay compliant with the CPA, make sure you follow these important steps:

1. Determine whether your company falls within either threshold of the CPA

Does your company process or control data of more than 100,000 consumers annually or derive revenue from selling personal data of at least 25,000 consumers? If so, and it doesn’t fall under an exempt category, you will be required to follow CPA’s regulations.

It’s also necessary to analyze your disclosures of personal data to establish whether they would be considered a “sale” under Colorado’s law and, if so, to what extent.

Since the laws are similar, companies that already comply with the CCPA, CDPA, and GDPR will not need to take many additional steps in making sure they are compliant with the new Colorado data law.

2. Map your data

If you’ve determined that your company is not exempt from the Colorado Privacy Act, the next step is mapping your data.

Data mapping ensures that controllers understand how data flows through their organization. You need to understand what data you are processing and for what purpose to fulfill data subject requests and determine how long you should keep that data in your systems.

Data mapping is an ongoing process, so you should conduct regular reviews of the personal data you process and update the documentation accordingly. It is strongly advised to always document your processing activities in writing in a granular way with links between the different pieces of information.

To stay compliant, you’ll need to understand where your information comes from and how it’s used.

3. Revise your privacy policies.

To comply with the CPA, you should revise and update your privacy policies to include personal data processing activities, new rights available to consumers, and identify the mechanisms for consumers to exercise those rights.

4. Assess your data protection.

It is also recommended that companies carry out data protection assessments regularly. These assessments should evaluate how your company utilizes and processes any private information and, more importantly, the risks involved with processing that data.

5. Implement a universal opt-out mechanism.

Users must be able to opt out of the selling of their personal information.

From July 1, 2024, when the CPA goes into effect, businesses must implement a universal opt-out mechanism selected by the user to satisfy the technical requirements under Colorado’s privacy law.

Implementing a consent mechanism for collecting sensitive data from consumers will also be crucial. Controllers that collect sensitive data from users must obtain certified and explicit approval.

In addition, Colorado privacy laws state that consent does not imply endorsement of the general terms of use, the use of obscure patterns or overlays, the silence, shutdown, or deactivation of content. Therefore, you may also need to develop explicit, affirmative action by which the consumer signifies agreement to the processing of personal data.

The web page, application, or other means by which a controller obtains a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

6. Appoint a data protection officer.

Appoint a data protection officer to lead regular training programs to ensure that employees can handle consumer inquiries in a timely and consistent manner that fulfills the CPA’s requirements.

The data protection officer will also make sure your company’s data privacy policy is fully compliant with the law.

Staying Compliant With the Colorado Privacy Act

Colorado’s new privacy law can profoundly affect businesses, and trying to navigate this complex network of rules will only get more complicated.

At Termly, we focus on data privacy regulation and best business practices for the modern digital professional and make compliance with these regulations simpler and more economical. We offer our users a selection of legal policy generators — which include privacy policies, terms and conditions, disclaimers, cookie policies, return policies, and shipping policies — and a cookie consent manager.

Contact our team today to help get your company on the right track.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author