Understanding the Colorado Privacy Act: Transcend's Comprehensive Guide

• The Colorado Privacy Act (CPA) was passed on July 8, 2021.

• To prepare for Colorado’s privacy law, businesses need conduct a privacy impact assessment, revise privacy policies, build a universal opt-out mechanism, implement consent management, and establish processes for fulfilling data requests.

• CPA enforcement begins on July 1, 2023.

What is the Colorado Privacy Act?

• Scope: Who is subject to the CPA?

• Colorado Privacy Act vs CPRA vs CDPA

• CPA consumer rights

• CPA enforcement

• Exemptions to the CPA

How to Prepare for the Colorado Privacy Act

• Determine whether the CPA applies to your business

• Conduct a privacy impact assessment

• Build a universal opt-out mechanism

• Implement a way to gather consent

• Create workflows for responding to data subject requests

• Revise privacy policies

Passed in 2021, the Colorado Privacy Act is Colorado’s new data privacy law—establishing data rights for Colorado (CO) residents, while placing new obligations on CO businesses processing personal data.

While the CPA doesn’t take effect until mid-2023, Colorado businesses should start working towards understanding CPA requirements now in order to prepare accordingly.

Below we’ll cover who’s subject to the CPA, how the CPA is different from the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (CDPA), consume rights provided by the CPA, and how the CPA will be enforced.

The Colorado Privacy Act applies to both for-profit and non-profit entities within a defined scope. Specifically, the CPA applies to any entity that:

“conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado”

If an entity meets that criteria, they must also:

• control or process personal data for 100,000 or more consumers a year OR

• control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data

If a businesses meets these criteria, they are subject to CPA requirements.

The third addition to the growing canon of state privacy laws in the US, Colorado’s privacy law is similar in part to the EU’s General Data Protection Regulation (GDPR), but mirrors the CCPA/CPRA and Virginia’s CDPA more closely overall.

The Colorado Privacy Act was preceded by the CCPA/CPRA and the Virginia Consumer Data Protection Act (VCDPA). While they share many structural similarities, the CPA has a few notable differences.

The Colorado Privacy Act applies to non-profit entities that meet certain thresholds. In many cases, the CPA also applies to HIPAA-regulated entities–a notable divergence from the Virginia CDPA, which exempts these entities in full.

The Colorado Privacy Act has no revenue threshold when it comes to gross income earned from data processing–unlike the CCPA and CDPA, which both set a revenue threshold at 50%. Put simply, the CPA applies when any portion of a company’s gross income comes from processing data.

The CPA requires data protection impact assessments (DPIA’s) for any processing activity that poses “heightened risk” to consumers i.e. profiling, targeted advertising, and data sale. Unlike other US privacy laws, the CPA has very few exemptions when it comes to doing DPIAs.

Colorado entities are required to provide a “universal opt-out option” by July 1, 2024. This would give consumers a singular mechanism, such as a one-click button, for opting out of both the sale of personal data and targeted advertising. In contrast, California and Virginia’s laws allow for multiple mechanisms to achieve full opt-out.

Unlike the CCPA, the CPA does not have a private right of action, which is when “a regular person, a private citizen, is legally entitled to enforce their rights under a given statute.” This means that only the Colorado Attorney General and other district attorneys can enforce the CPA.

If a violation notice is issued, the controller has a 60 day “cure period” to resolve alleged violations. Under the CCPA and VCDPA, entities only have 30 days.

The CPA (similar to the Virginia CDPA, but unlike the CCPA) requires controllers to have an internal appeals process if they are, for whatever reason, unable to fulfill a data subject request.

For a full breakdown of the differences between state privacy laws in the US, check out our handy infographic.

The Colorado Privacy Act mandates certain rights for consumers that controllers must honor once the law takes effect.

A consumer has the right to access and confirm permission for any personal data processed by the controller.

If a consumer notices an inaccuracy in their personal data, they have the right to correct it.

A consumer has the right to delete their personal data.

Consumers have the right to access and transfer their personal data in a way that is technically feasible. The data must be in a format that is readily usable and easy to transmit. A consumer has the right to exercise data portability twice every year.

A consumer has the right to opt out of the processing of their personal data in relation to:

1. targeted advertising;

2. the sale of personal data; or

3. profiling around activities that affect legal decision making

The controller must provide a “clear and conspicuous” method for the consumer to exercise their right to opt-out. This mechanism must be in an accessible location outside the privacy notice.

By July 1, 2024, the controller must also provide consumers a way to universally opt-out (of both targeted advertising and personal data sale).

The Colorado Privacy Act will be enforced by the Attorney General and/or Colorado District Attorneys. As the CPA does not contain a Private Right of Action, consumers cannot personally hold entities accountable for misappropriating their data.

As outlined in the Colorado Revised Statutes § 6-1-112 (2016), controllers or processors of data who have violated the law may be subject to a penalty of up to $2,000 per violation.

Each violation is “measured per consumer and per transaction,” but aggregated penalties may not exceed $500,000.

After receiving notice, a controller has 60 days to address a violation. The Attorney General may also seek an injunction against the controller to stop the unlawful acts.

A limited number of entities are exempt from the Colorado Privacy Act. Similar to other state privacy laws, exemptions fall into two categories: entity-level and data-level.

Entity-level exemptions include:

• Colorado state and local governing bodies

• Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act

• State run higher education institutions

Data-level exemptions include:

• Identifying patient information, as well as health data processed by an exempted entity or covered under HIPAA’s de-identification requirements

• Data shared in a commercial or employment setting, including job applicants

• Data already regulated by existing privacy laws

As noted earlier, the CPA does not include exemptions for non-profits or HIPPA regulated entities–a significant divergence from CCPA.

Colorado Privacy Act enforcement will begin on July 1, 2023. This may seem like a long time, but building out privacy infrastructure can be a complex, time consuming endeavor. Savvy businesses will act now to shore up their privacy stance and ensure compliance.

For businesses whose customers are only in Colorado, there may be less to consider overall. However, any business with customers both in Colorado and other states will want to develop a holistic approach for their data privacy compliance program.

Yes, only three states have passed privacy legislation so far, but as of January 2022 there were 15 states considering privacy bills in their 2022 session.

Building a program designed to support broad, future-forward privacy compliance will pay the highest dividends in the long term.

To prepare for CPA enforcement, businesses should consider the following:

The first thing any CO business must do is determine whether or not they fall under the scope of the CPA. As a reminder, the baseline requirements are that an entity:

“conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado”

If an entity meets that criteria, they must also:

• control or process personal data for 100,000 or more consumers a year OR

• control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data

This scope means determining a few key things:

1. How much consumer data your organization is processing

2. Whether or not that data could be considered ‘personal’

3. Whether or not any of that data is being sold

Remember, the Colorado Privacy Act does not have a revenue threshold in regards to the sale of personal data–so if your organization makes any money from selling personal data, the CPA applies.

Privacy impact assessments, otherwise known as data protection impact assessments (DPIA), are a requirement of the Colorado Privacy Act.

According to the act, “data protection assessments must identify and weigh the benefits [of how the data is being used] against the potential risks to the rights of the consumer.”

At its core, a privacy impact assessment is meant to identify consumer risk within processing activities–so if risks are identified, organizations have a clear course of action for mitigation.

Data mapping, though not a requirement of the Colorado Privacy Act, is an essential precursor to an effective DPIA. Without a clear idea of where data lives and how it’s used, it’s nearly impossible to analyze whether or not it’s being used in a risky manner.

Unlike other privacy laws, the CPA has very few exemptions when it comes to DPIAs–so organizations should be proactive.

Entities under the scope of Colorado’s privacy law must provide a universal opt-out option, which a customer can use to opt out of targeted advertising and the sale of personal data simultaneously.

Organizations must provide this functionality by July 1, 2024.

Though specific guidelines in regards to the mechanism itself are not yet available, the CPA states this opt-out mechanism must meet the technical requirements outlined by the Colorado Attorney General. Those requirements will be made available by July 1, 2023.

The CPA requires that data controllers must obtain consent in a way that is “affirmative, informed, and clear.”

Gathering consent cannot rely on users, “accepting general terms of use, use of dark patterns, or hovering over, muting, pausing, or closing content.”

Put simply, it must be clear to a user they are agreeing to their personal data being collected, stored, or used.

Implementing consent requirements often calls for consent managers, like cookie banners, that allow users to choose what, if any, personal data tracking they will allow while on a site.

As the Colorado Privacy Act grants consumers the right to access, correct, verify, and delete their personal data, organizations must implement a way to fulfill those requests.

Many organizations rely on manual processes that involve a privacy@ email address, spreadsheets for tracking request status, and a person (or two) whose job it is to field the requests. Once a request is logged, that person must then track down personal data across dispersed systems, package the data, and then send it back to the consumer.

These manual privacy workflows are inefficient, insecure, and unscalable. Organizations should look at implementing an automated privacy request platform that streamlines the request process, while enabling end-to-end security for sensitive data.

A clear, actionable privacy policy is your organization’s best friend when it comes to building a sustainable, effective privacy program.

Publishing a comprehensive policy not only ensures your company is thinking through all the necessary components for compliance, it also gives your customers the information they need to fulfill their data rights.

Using concise language is a best practice. This helps, again, with giving customers the info they need–helping to forestall many of the questions that may pop up if your privacy policy is rife with legalese.

Another good guideline is to provide as many self-serve options in your policy as possible. Include links to your consent manager if you have one, as well as your privacy request center.

If you don’t have an automated request center, include instructions on how a user can request or access their data, as well as an outline for what happens after they do.

While the Colorado Privacy Act does not take effect until July 2023, entities doing business in Colorado, or targeting their services and products to Colorado consumers should take steps now to prepare.

Despite not being an exact replica, businesses can look to California’s data privacy law for guidance. Because the CCPA is already in effect, businesses can get an idea as to how Colorado’s data privacy law might work in practice and how they can get ahead on compliance.

• Colorado Privacy Act: US Consumer Data Privacy Framework Continues Expansion

• The Colorado Privacy Act: Enactment of Comprehensive U.S. State Consumer Privacy Laws Continues

• Colorado’s Privacy Act: A Curve Ball on Consent and Targeted Ads

• Colorado Privacy Act: What Businesses Need to Know

• Colorado Privacy Act becomes law

If your organization has been impacted by the Colorado Privacy Act or other consumer data laws, Transcend can help you ensure compliance. Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.