Scope, applicability, and key definitions

Who does the CPA apply to?

The CPA applies to controllers that conduct business or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either:

• control or process personal data of 100,000 consumers or more per calendar year; or
• derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.

Are certain data exempted from the application of the CPA?

The CPA does not apply to certain personal data governed by listed state and federal laws such as certain protected health information, certain healthcare information, among others, listed activities, and employment records.

How does the CPA define 'consumers'?

The CPA defines 'consumers' as an individual who is a Colorado resident acting only in an individual or household context; the definition of consumer does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

How does the CPA define a 'controller'?

The CPA defines 'controller' as a person that, alone or jointly with others, determines the purposes for and means of processing personal data.

How does the CPA define 'personal data'?

The CPA defines 'personal data as information that is linked or reasonably linkable to an identified or identifiable individual. However, personal information does not include de-identified data or publicly available information.

How does the CPA define 'consent'?

The CPA defines 'consent' as a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.

How does the CPA define 'sensitive data'?

The CPA defines 'sensitive date' as personal data revealing:

• racial or ethnic origin;

• religious beliefs;
• a mental or physical health condition or diagnosis;
• sex life or sexual orientation;
• citizenship or citizenship status; 
• genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or 
• personal data from a known child.

How does the CPA define 'processing'?

The CPA defines 'process' or 'processing' as the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

How does the CPA define 'sale' of personal data?

The CPA defines 'sale', 'sell', or 'sold' means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.

However, the concept of 'sale', 'sell', or 'sold' does not include the following:

• the disclosure of personal data to a processor that processes the personal data on behalf of a controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
• the disclosure of personal data:  
  • that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
  • intentionally made available by a consumer to the general public via a channel of mass media.

Key provisions and requirements

Does the CPA provide for consumer rights?

The CPA provides several privacy rights including, the right to:

• opt-out of the processing of personal data for the purposes of targeted adverting, sale of personal data, or profiling used for decisions that produce legal or similarly significant effects on a consumer;

• access;
• correction;
• deletion of personal data; and
• data portability - to obtain a portable copy of the data.

Are there obligations in relation to sensitive data?

Controllers are obliged not to process sensitive personal data without first obtaining consent, or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

What are the main obligations for data controllers?

The CPA requires data controllers to adhere to the following requirements:

• the collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;

• it is not allowed to process personal data for other purposes not compatible with the initial specified purpose, unless the controller obtains the consumer's consent;
• reasonable measures to secure personal data must be taken; and
• it is not allowed to process personal data which violates laws that prohibit unlawful discrimination against consumers.

What are the main obligations for data processors?

The CPA requires processors to adhere to the instructions of the controller, assisting the latter to meet their obligations by:

• taking appropriate technical and organisational measures, insofar as possible for the fulfilment of the controller's obligation to respond to consumer requests to exercise their rights;

• aiding the controller to meet their security obligations when processing personal data and in relation to a breach of the security of the system; and
• providing the information necessary to aid the controller to conduct and document data protection assessments.

What are the transparency responsibilities of data controllers?

Controllers would have to provide consumers with a reasonably clear, accessible, and meaningful privacy notice including:

• the categories of personal data collected or processed by the controller or a processor;

• the purposes for which personal data are processed;
• how and where consumers may exercise their rights, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request; 
• the categories of personal data that the controller shares with third parties, if any; and 
• the categories of third parties, if any, with whom the controller shares personal data.

In addition, if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

Are vendor privacy relationships regulated under the CPA?

Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out, among other things:

• the processing instructions to which the processor is bound, including the nature and purpose of the processing;
• the type of personal data subject to the processing, and the duration of the processing; and
• the requirements imposed regarding:
  • the duty of confidentiality when processing personal data; and
  • providing the controller with an opportunity to object to the engagement of a subcontractor, as well as implementing appropriate technical and organisational measures.

Are Data Protection Impact Assessments regulated under the CPA?

The CPA would require controllers to conduct data protection assessments where the processing of data presents a heightened risk to consumers; such risks include:

• processing for the purposes of targeted advertising or for profiling if said profiling presents a reasonably foreseeable risk;
• selling personal data; and
• processing sensitive data.

Controllers would also be required to make data protection assessments available to the Attorney General upon request, which the AG may also evaluate in regards to compliance with the duties contained in the CPA.

Who is empowered to enforce violations of the CPA?

The Attorney General of Colorado and District Attorneys have exclusive authority to enforce the CPA.

What penalties are controllers and processors facing under the CPA?

If a controller fails to cure a violation within 60 days after receipt of the notice of violation, the Attorney General and/or District Attorney can pursue an action in the name of the State of Colorado as Parens Patriae on behalf of Colorado Residents, including seeking an injunction to enjoin a violation of the CPA.

Next stages

What is the legislative status of the CPA?

Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy was signed, on 7 July 2021, by the Colorado State Governor. 

When will the CPA come into force?

The CPA will go into effect on 1 July 2023.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.