Manage opt-outs easily for Colorado Privacy Act compliance
The #1 cookie consent solution, trusted by 1.4 Million+ websites
Colorado Privacy Act (CPA) is a state-wide data privacy that places new obligations on how businesses process the personal data of consumers in Colorado and grants consumers’ rights including the right of a consumer to opt out of targeted advertising and sale of personal data. It is set to take effect on July 01, 2023.
CPA Compliance Checklist for Websites
- Enable users to opt out of targeted advertising and the sale of personal data
- Implement a universal opt-out mechanism by July 01, 2024
- Establish a method to help users make data subject access requests easily
Prepare for CPA Compliance with CookieYes
Implement opt-out requests
Colorado Privacy Act requires businesses to provide users with an easy mechanism to opt out of targeted advertising (including the use of third-party cookies), the sale of personal data and profiling.
With CookieYes you can
Automate consent management
Ensure that websites set third-party cookies only based on user preferences and secure continuous compliance with data privacy regulations.
With CookieYes you can
With CookieYes you can
Start your compliance with
Colorado Privacy Act
Learn more about CPA and take the next
step towards compliance
What is Colorado Privacy Act?
Colorado Privacy Act (CPA) is a new data privacy law that grants residents of Colorado rights over their personal data and regulates how businesses can process their personal data. Colorado is the third US state to pass a comprehensive consumer privacy law after California and Virginia.
The Act shares similarities with the privacy laws like CCPA (California), CPRA (California) and CPA (Colorado). The CPA was signed into law on July 8, 2021, and will take effect on July 1, 2023.
Who does CPA apply to?
Colorado Privacy Act (CPA) applies to any entity that:
- Conducts business in Colorado and produces products or services that intentionally target the residents of the state and that either
- Process the personal data of more than 100,000 individuals in any calendar year or
- Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
Entities that are subject to HIPAA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act (FERPA) are excluded from the CPA.
What are consumer rights under CPA?
Right to access
The right to access the personal data a business has collected about them.
Right to correct
The right to correct any inaccuracy in their personal data.
Right to delete
The right to delete personal information that a business has collected from them.
Right to opt-out
The right to opt out of the processing of personal data for targeted advertising and the sale to third parties.
Right to data portability
The right to obtain a copy of their personal data in a portable format.
What is the penalty for non-compliance?
The Colorado Attorney General (AG) and/or Colorado District Attorneys have the enforcement authority in CPA. Any business that violates Colorado Privacy Act will be subject to fines of up to $2000 per violation. Violations are “measured per consumer and per transaction,” and the total penalties may not exceed $500,000.
FAQ on CPA Compliance
Colorado has a new data privacy law, namely, the Colorado Privacy Act (CPA) which was officially enacted on July 8, 2021. Colorado became the third US state (after California and Virginia) to pass a data privacy law to protect its residents. The CPA will go into effect on July 1, 2023.
Personal data under the Colorado Privacy Act (CPA) is any “information that is linked or reasonably could be linked to an identified or identifiable individual”.
This can include information such as names, email addresses, physical addresses, identification numbers, IP addresses, and credit card information.
The regulation doesn’t consider de-identified data and publicly available data as personal data. Other exemptions include employee data such as job applicant data, and personal data collected for commercial or B2B purposes.
The Colorado Privacy Act protects sensitive data as a separate category of personal data. Sensitive data includes personal data that could reveal the traits of a consumer. It includes data like race, sexual orientation, religious belief, citizenship or citizenship status genetic or biometric data and personal data from a child under the age of 13.
Colorado Attorney General (AG) and District Attorneys have exclusive authority to enforce the CPA. In case of a potential violation, the AG’s office will send a notice to the business and gives them 60 days from receipt of the notification to correct the violation.
The Colorado Privacy Act exempts a wide range of organizations such as:
- Colorado government bodies
- Public utility organizations
- Higher education institutions
- Consumer reporting agencies
- Entities that process de-identified personal data
- Entities that collect/process data for the purpose of Colorado health insurance law or employment records
Personal data that is already governed by various state and federal laws also fall outside of the scope of the Colorado Privacy Act. These include organizations that are covered by:
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Notably, Colorado Privacy Act does not exempt non-profits and charitable organizations from the scope of its application.
Fast-track your CPA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.