Governor Jared Schutz Polis signed the Colorado Privacy Act (CPA) into law on July 7, 2021, making it the third comprehensive state law in the US. Where the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA) have several differences, the CPA aligns much more closely with the CDPA,  although in some areas the two laws are indistinguishable.

In 2022, the privacy landscape in the US became increasingly complex with the introduction of the Utah Consumer Privacy Act (UCPA) and the Connecticut Data Privacy Act (CTDPA). And, while the CPA will only make up one part of this privacy patchwork, understanding its requirements and nuances is crucial.

Use this page to take a closer look at the CPA and what it might mean for your privacy compliance program.

What is the Colorado Privacy Act?

The CPA is a comprehensive state privacy law in Colorado that regulates how organizations collect and use consumers’ information and offers consumers rights in relation to their personal information.

What does CPA stand for?

The CPA stands for the Colorado Privacy Act. It has also been known as Senate Bill 21-190 (SB 21-190) and A Bill for an Act Concerning Additional Protection of Data Relating to Personal Privacy.

What is the effective date of the Colorado Privacy Act?

The CPA will become effective on July 1, 2023. After this date, organizations that fall under the CPA’s scope must ensure their privacy program is compliant with all requirements of the law.

Colorado Privacy Act summary

In summary, the CPA introduces requirements for organizations to meet when handling consumers’ personal and sensitive data. These include a new set of consumer rights, specific conditions for consent, and the need to conduct data protection assessments, among other things.

But before you can understand the requirements of the CPA, you must first under who and what the CPA applies to.

Who does the CPA apply to?

The CPA applies to any data controller that conducts business, produces, or delivers commercial products or services which are intentionally targeted to Colorado residents.

In addition, covered organizations must also meet one of the following criteria:

• Processing or controlling the personal data of at least 100,000 consumers in a calendar year
• Processing or controlling the personal data of 25,000 consumers or more and deriving revenue or receiving a discount on the price of goods or services from the sale of personal data

For a greater understanding of the CPA’s scope, it is important to be aware of what is considered personal data under the law. The CPA defines personal data information that is linked or reasonably linkable to an identified or identifiable individual.

Colorado Privacy Act exemptions

There are certain exemptions to the CPA’s regulations that apply to certain entities or personal data that is otherwise governed by other state and federal laws. There are also some general examples of exempt data types that include de-identified personal data, employee data including job applicant data, and personal information collected for commercial or B2B purposes.

Exemptions for covered information

As is the case in other US states, certain types of personal data are covered by different laws across different industries, both at the federal and state level. Personal data that is already covered by these laws falls outside of the scope of the CPA. These include:

• Children’s Online Privacy Protection Act (COPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

Compliance with the Colorado Privacy Act

Compliance with the CPA is critical for maintaining good data privacy practices, developing trusted data use processes, and avoiding being under the enforcement spotlight of the Attorney General.

Consumer rights

The CPA provides a new set of rights for consumers to exercise in order to have greater control over the use of their personal data. These rights allow consumers to have greater visibility into what personal data organizations hold, access copies of personal data related to them, and opt-out of certain types of processing.

Consumer rights under the CPA include:

• The right of access
• The right to correction
• The right to deletion
• The right to data portability
• The right to opt-out of
  • Sale of personal data
  • Targeted advertising
  • Profiling
• The right to appeal
• The right to non-discrimination

Organizations that receive a consumer rights request under the CPA must respond without undue delay and within 45 days. Organizations have the possibility to request a 45-day extension.

Data controllers are not required to comply with a consumer rights request if they cannot authenticate the request using commercially reasonable efforts.

Consent

Under the CPA, there are some specific scenarios whereby organizations must obtain consent from the consumer. These include prior to collection and use of sensitive data as well as when data controllers intend to use personal data for a purpose other than the purpose that the personal data was originally collected.

The CPA defines valid consent as “a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action.”

Sensitive data

The CPA distinguishes certain types of personal data as sensitive data and places additional requirements around the processing of such data.

The CPA defines sensitive data as any personal data that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnosis
• Sex life or sexual orientation
• Citizenship status
• Genetic information
• Biometric information

The CPA’s definition of sensitive data also covers the personal data of a known child.

For covered organizations to process sensitive data they must obtain valid consent from the consumer prior to collection.

Data protection assessments

Organizations are required to carry out data protection assessments, an assessment similar to a PIA, prior to conducting processing that presents a heightened risk of harm to consumers.

The CPA notes activities that present a heightened risk of harm to consumers include:

• Targeted advertising
• Profiling
• Selling personal data
• Processing sensitive data

When conducting a data protection assessment, data controllers should balance the risks and benefits of the processing activity and should consider several factors including:

• Context of the processing
• Relationship between the controller and the consumer
• Expectations of the consumer
• Use of de-identified data

Having performed a data protection assessment, data controllers must make the assessment available to the Attorney General upon request.

Notices

Privacy notices are common amongst privacy laws, not just in the US but across the world. The CPA is no different and requires data controllers to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.”

When presenting a privacy notice to a consumer, the data controller must include:

• The categories of personal data collected or processed
• The purposes for processing
• An estimate of how long personal data will be maintained
• How consumers can exercise their rights, including:
  • The controller's contact information
  • How to make an appeal
• The categories of personal data that are shared with third parties
• The types of third parties that personal data is shared with

Colorado Privacy Act enforcement and penalties

Violating the CPA can result in monetary penalties and remediation orders. But who enforces the CPA and how much can an organization be fined for non-compliance?

Who enforces the CPA?

Compliance with the CPA is exclusively enforced by the Colorado Attorney General or the district attorney.

CPA fines and penalties

Violations of the CPA can result in maximum civil penalties of up to $20,000 per violation with a total maximum penalty of $500,000.

Is there a private right of action under the CPA?

There is no provision for a private right of action under the CPA.

Is there a cure period under the CPA?

Organizations that are found to have violated the requirements of the CPA may be awarded a 60-day period in which they can remediate these violations. The CPA cure period will be repealed on January 1, 2025.

Follow OneTrust DataGuidance on LinkedIn to keep up to date with the latest regulatory news, webinars, and resources