The Colorado Privacy Act (CPA) was designed to provide consumers in Colorado with certain rights regarding the collection and processing of their personal data by businesses. The CPA draws some inspiration from other privacy laws, such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR).
Effective date: July 1, 2023
Official text: Senate Bill 21-190
What is the Colorado Privacy Act?
The Colorado Privacy Act 2021 is the third state consumer data privacy law after the California Consumer Privacy Act (CCPA) (now CPRA) and the Virginia Consumer Data Protection Act (CDPA). It was signed into law on June 8, 2021.
The privacy act enhances the data rights and privacy protections for Colorado consumers. It regulates how businesses collect, use, disclose, and secure the personal information of Colorado residents. The Act broadly aligns with GDPR-style privacy principles to strengthen consumer protections.
Colorado Attorney General (AG) and District Attorneys have exclusive authority to enforce the CPA.
Who does the Colorado Privacy Act apply to?
The law applies to for-profit entities that conduct business in Colorado or produce products/services targeted to Colorado residents, and that also meet either of these criteria:
- Control or process personal data of 100,000+ Colorado consumers per calendar year
- Derive revenue or receive discounted pricing for selling personal data of 25,000+ consumers per year
The Colorado Privacy Act exempts some organizations from its scope, including Colorado government agencies, airlines, public utilities, higher education institutions, consumer reporting agencies, and entities that process de-identified data.
Additionally, personal data already regulated under other federal and state laws are exempt from the CPA. This includes data governed by COPPA, FCRA, FERPA, GLBA, and HIPAA.
What constitutes personal data under the Act?
Personal data refers to any information that directly identifies or reasonably can be linked to a particular consumer or household. This includes
- Identifiers like name, address, email, account usernames, IP address, device IDs, SSN, passport number
- Commercial data like purchases, browsing history, financial details, biometrics
- Internet/electronic activity such as browsing history, search queries, audio/visual data
- Geolocation data, audio recordings, education info, and any inferences drawn
The definition explicitly excludes de-identified data, publicly available information, and data governed by sector-specific federal laws.
The Act also defines sensitive data which includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship status
- Genetic or biometric data that can uniquely identify an individual
- Personal data from a known child
What are the requirements of the Colorado Privacy Act?
Duty of transparency
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that discloses:
- The categories of personal data collected or processed by the controller or processor
- The purposes for which each category of personal data is processed
- How and where consumers can exercise their rights under the law, including the controller’s contact information and process to appeal the controller’s actions
- The categories of personal data shared with third parties, if any
- The categories of third parties, if any, with whom the controller shares personal data
- If the controller sells personal data or uses it for targeted advertising as well as how consumers can opt out
Get a legally complaint
Privacy Notice for free!
Duty of purpose specification
Controllers must expressly and specifically articulate the purposes for collecting and processing each category of personal data.
Duty of data minimization
Controllers should only collect personal data that is reasonably adequate, relevant, and limited to what is necessary in relation to the specified processing purposes.
Duty to avoid secondary use
Controllers cannot process personal data for any additional purposes that are not compatible with or reasonably necessary for the specified purposes unless they obtain the consumer’s consent.
Duty of care
Controllers must implement reasonable administrative, technical, and physical safeguards to protect personal data from unauthorized access during storage and use. Security practices should align with the volume, scope, and sensitivity of the data.
Duty to avoid discrimination
Controllers cannot process personal data in violation of state or federal anti-discrimination laws.
Duty regarding sensitive data
Controllers must obtain the consumer’s consent before processing sensitive personal data related to health, ethnicity, children, etc. Parental consent is needed to process a known child’s data.
What are consumer rights under CPA?
Right to opt-out
Consumers have the right to opt out of their personal data being processed for targeted advertising, the sale of personal data, or any profiling that significantly impacts them. Controllers must offer a clear and prominent method for consumers to opt out, both in privacy notices and in easily accessible locations outside the notice.
Until July 1, 2024, a universal opt-out mechanism is available, meeting technical specifications set by the Attorney General. After this date, controllers must still provide a user-selected universal opt-out mechanism with the specified technical criteria.
Right of access
Consumers can confirm whether a controller is processing their data and have the right to access that data.
Right to correction
Consumers are empowered to correct inaccuracies in their personal data, considering the nature of the data and the purposes for processing.
Right to deletion
Consumers possess the right to request the deletion of their personal data.
Right to data portability
When exercising the right of access, consumers can obtain their personal data in a portable and readily usable format. This allows them to transmit the data to another entity without hindrance.
This right can be exercised up to two times per calendar year. A business may charge a fee for the second consumer data request received within a 12-month period.
However, controllers are not obligated to provide the data in a manner that would reveal their trade secrets.
What are the consent requirements in the Act?
Under the Act, consumers have the right to opt out of the processing of their data in the following instances:
- Targeted advertising
- Sale of personal data
- Profiling that could have a legal or similar impact on the consumer
The controller must also permit individuals authorized by the consumer to opt out of data processing.
This opt-out choice for personal data processing must be presented clearly and conspicuously, easily accessible outside the privacy notice. Additionally, it is imperative to include this information in the privacy notice itself.
Until July 1, 2024, the controller has the option to implement a universal opt-out mechanism. After this date, adherence to this provision becomes mandatory.
If a consumer uses a universal opt-out mechanism, the controller may seek consent through a webpage, application, or similar method. This consent takes precedence over the opt-out request made through the universal opt-out mechanism. Before obtaining such consent, the controller must provide the consumer with a clear and conspicuous notice, detailing:
- Available choices, as mentioned above
- Categories of personal data to be processed and the purposes of processing
- Procedures for withdrawing consent
For purposes of targeted advertising or the sale of personal data, the web page, application, or other means through which a controller obtains consumer consent to process personal data must facilitate revocation of consent as easily as it is initially provided.
Obtain cookie consent and
Try for free
comply with Colorado Privacy Act
In certain scenarios, businesses are required to obtain explicit consent from consumers before processing their data. These scenarios include:
- Processing data of a sensitive nature necessitates clear and explicit consent.
- When dealing with a child’s data, businesses must obtain consent from the parent or guardian, recognizing the need for additional protection in these cases.
- If data is to be processed for a purpose not originally disclosed or collected, obtaining consent becomes mandatory.
What are the penalties and fines under the CPA?
The Colorado Privacy Act does not create a private right of action and enforcement is exclusively through the State Attorney General and district attorneys.
Initially, organizations receive a 60-day right to cure period after a notice of violation. But starting January 2025, companies can instead seek opinion letters and guidance from the AG’s office.
Penalties range from $2,000 to $20,000 per violation, based on the Colorado Consumer Protection Act which the privacy law violations fall under. The Consumer Protection Act also enables criminal charges for violations of the privacy law.
Checklist for Colorado Privacy Act compliance
- Determine if your business is subject to the CPA
- Review data collection, processing, and sharing practices
- Update privacy policies with required disclosures
- Enable consumer rights like access, deletion, and portability
- Implement opt-out for data sale and targeted advertising
- Obtain consent for sensitive data and children’s data
- Deploy appropriate data security safeguards
- Develop processes for consumer requests and complaints
- Conduct periodic audits for continued compliance
- Maintain records of CPA compliance
CPRA vs CPA infographic
FAQ on Colorado Privacy Act
What is the Colorado privacy law?
The Colorado privacy law or Colorado Privacy Act (CPA) is a state consumer data privacy law signed into law on June 8, 2021. It enhances data rights and privacy protections for Colorado consumers and regulates how businesses collect, use, disclose, and secure the personal information of Colorado residents.
What are the violations of the Privacy Act in Colorado?
Some key violations of the Privacy Act in Colorado include:
- Failing to provide required transparency disclosures to consumers
- Processing personal data without consent for purposes like targeted advertising or sale of data
- Failing to provide adequate security measures to protect personal data
- Failing to allow consumers to exercise their data rights
What is sensitive data under the Colorado Privacy Act?
Sensitive data under the Colorado Privacy Act includes personal data revealing race, ethnicity, religious beliefs, mental/physical health, sexual orientation, genetic or biometric data, and data from known children.
What is deidentified data in the Colorado Privacy Act?
Deidentified data refers to data that cannot reasonably be linked back to an identified or identifiable individual, and for which the business has taken steps to prevent reidentification. Deidentified data is exempt from most provisions of the Privacy Act.