Navigate back to the homepage
Get a Demo

Everything you need to know about the Colorado Privacy Act (CPA)

PrivacyPrivacy Law
Morgan Sullivan
January 21st, 2022 · 9 min read

Introduction

The Colorado Privacy Act (CPA) was passed on July 8, 2021 and enforcement begins on July 1, 2023.

A new addition to the growing canon of state-based privacy laws in the US, the CPA places new requirements on businesses and other organizations that collect, store, and process consumer data in Colorado (CO).

The Colorado Privacy Act is one part of a general trend towards state-based consumer data privacy laws in the US–California passed the CCPA in 2018 and the CPRA in 2020, while Virginia passed the Consumer Data Protection Act in 2021.

As of January 2022, 15 other states were considering new privacy legislation.

While the Colorado Privacy Act doesn’t take effect until mid-2023, entities based in Colorado or targeting CO residents should understand how the CPA works and how it will affect their business.

Table of contents

What is the Colorado Privacy Act?

How Businesses Can Prepare for the Colorado Privacy Act

What is the Colorado Privacy Act?

The Colorado Privacy Act was designed to protect personal data for Colorado residents, while establishing specific rights pertaining to how that data is processed.

While the CPA has some similarities to the EU’s General Data Protection Regulation (GDPR), its structure more closely mirrors the CCPA/CPRA, as well as Virginia’s CDPA.

Scope: Who is subject to the CPA?

Though there are a few notable exceptions, the Colorado Privacy Act applies to both for-profit and non-profit entities within a defined scope. Specifically, the CPA applies to any entity that:

“conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado”

If an entity meets that criteria, they must also:

  • control or process personal data for 100,000 or more consumers a year OR

  • control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data

If they fall under one of the above categories, businesses will have to implement and maintain “reasonable” security procedures to protect personal data.

They will also need to conduct and document a data protection assessment for each processing activity that involves personal data and poses a “heightened risk” to the consumer.

How is the CPA different from the CPRA and CDPA?

The Colorado Privacy Act was preceded by the CCPA/CPRA and the Virginia Consumer Data Protection Act (VCDPA). While they share many structural similarities, the CPA has a few notable differences.

Entities regulated

The Colorado Privacy Act applies to non-profit entities that meet certain thresholds. In many cases, the CPA also applies to HIPAA-regulated entities–a notable divergence from the Virginia CDPA, which exempts these entities in full.

Revenue threshold

The Colorado Privacy Act has no revenue threshold when it comes to gross income earned from data processing–unlike the CCPA and CDPA, which both set a revenue threshold at 50%. Put simply, the CPA applies when any portion of a company’s gross income comes from processing data.

Data protection impact assesments

The CPA requires data protection impact assessments (DPIA’s) for any processing activity that poses “heightened risk” to consumers i.e. profiling, targeted advertising, and data sale. Unlike other US privacy laws, the CPA has very few exemptions when it comes to doing DPIAs.

Opt-out mechanism

Colorado entities are required to provide a “universal opt-out option” by July 1, 2024. This would give consumers a singular mechanism, such as a one-click button, for opting out of both the sale of personal data and targeted advertising. In contrast, California and Virginia’s laws allow for multiple mechanisms to achieve full opt-out.

Enforcement

Unlike the CCPA, the CPA does not have a private right of action, which is when “a regular person, a private citizen, is legally entitled to enforce their rights under a given statute.” This means that only the Colorado Attorney General and other district attorneys can enforce the CPA.

Resolution timeframe

If a violation notice is issued, the controller has a 60 day “cure period” to resolve alleged violations. Under the CCPA and VCDPA, entities only have 30 days.

Internal appeals process

The CPA (similar to the Virginia CDPA, but unlike the CCPA) requires controllers to have an internal appeals process if they are, for whatever reason, unable to fulfill a data subject request.

Consumer rights provided by the Colorado Privacy Act

The CPA mandates certain rights for consumers that controllers must honor once the law takes effect.

Right to access

A consumer has the right to access and confirm permission for any personal data processed by the controller.

Right to correction

If a consumer notices an inaccuracy in their personal data, they have the right to correct it.

Right to delete

A consumer has the right to delete their personal data.

Right to data portability

Consumers have the right to access and transfer their personal data in a way that is technically feasible. The data must be in a format that is readily usable and easy to transmit. A consumer has the right to exercise data portability twice every year.

Right to opt out

A consumer has the right to opt out of the processing of their personal data in relation to:

  1. targeted advertising;
  2. the sale of personal data; or
  3. profiling around activities that affect legal decision making

The controller must provide a “clear and conspicuous” method for the consumer to exercise their right to opt-out. This mechanism must be in an accessible location outside the privacy notice.

By July 1, 2024, the controller must also provide consumers a way to universally opt-out (of both targeted advertising and personal data sale).

CPA enforcement

The Colorado Privacy Act will be enforced by the Attorney General and/or Colorado District Attorneys. As the CPA does not contain a Private Right of Action, consumers cannot personally hold entities accountable for misappropriating their data.

As outlined in the Colorado Revised Statutes § 6-1-112 (2016), controllers or processors of data who have violated the law may be subject to a penalty of up to $2,000 per violation.

Each violation is “measured per consumer and per transaction,” but aggregated penalties may not exceed $500,000.

After receiving notice, a controller has 60 days to address a violation. The Attorney General may also seek an injunction against the controller to stop the unlawful acts.

Exemptions to the CPA

A limited number of entities are exempt from the Colorado Privacy Act. Similar to other state privacy laws, exemptions fall into two categories: entity-level and data-level.

Entity-level exemptions include:

  • Colorado state and local governing bodies

  • Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act

  • State run higher education institutions

Data-level exemptions include:

  • Identifying patient information, as well as health data processed by an exempted entity or covered under HIPAA’s de-identification requirements

  • Data shared in a commercial or employment setting, including job applicants

  • Data already regulated by existing privacy laws

As noted earlier, the CPA does not include exemptions for non-profits or HIPPA regulated entities–a significant divergence from CCPA.

Automate privacy requests across your tech stack

Transcend Privacy Requests is the easiest and most comprehensive way to delete, return, or modify a user's data or preferences across your tech stack. Learn more.

How businesses can prepare for the Colorado Privacy Act

Enforcement of the Colorado Privacy Act will begin on July 1, 2023. This may seem like a long time, but building out privacy infrastructure can be a complex, time consuming endeavor. Savvy businesses will act now to shore up their privacy stance and ensure compliance.

For businesses whose customers are only in Colorado, there may be less to consider overall. However, any business with customers both in Colorado and other states will want to develop a holistic approach for their data privacy compliance program.

Yes, only three states have passed privacy legislation so far, but as of January 2022 there were 15 states considering privacy bills in their 2022 session.

Building a program designed to support broad, future-forward privacy compliance will pay the highest dividends in the long term.

To prepare for CPA enforcement, businesses should consider the following:

Determine whether the CPA applies to your business

The first thing any CO business must do is determine whether or not they fall under the scope of the CPA. As a reminder, the baseline requirements are that an entity:

“conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado”

If an entity meets that criteria, they must also:

  • control or process personal data for 100,000 or more consumers a year OR

  • control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data

This scope means determining a few key things:

  1. How much consumer data your organization is processing
  2. Whether or not that data could be considered ‘personal’
  3. Whether or not any of that data is being sold

Remember, the Colorado Privacy Act does not have a revenue threshold in regards to the sale of personal data–so if your organization makes any money from selling personal data, the CPA applies.

Conduct a privacy impact assessment

Privacy impact assessments, otherwise known as data protection impact assessments (DPIA), are a requirement of the CPA.

According to the act, “data protection assessments must identify and weigh the benefits [of how the data is being used] against the potential risks to the rights of the consumer.”

At its core, a privacy impact assessment is meant to identify consumer risk within processing activities–so if risks are identified, organizations have a clear course of action for mitigation.

Data mapping, though not a requirement of the Colorado Privacy Act, is an essential precursor to an effective DPIA. Without a clear idea of where data lives and how it’s used, it’s nearly impossible to analyze whether or not it’s being used in a risky manner.

Unlike other privacy laws, the CPA has very few exemptions when it comes to DPIAs–so organizations should be proactive.

Build a universal opt-out mechanism

Colorado entities under the scope of the CPA must provide a universal opt-out option, which a customer can use to opt out of targeted advertising and the sale of personal data simultaneously.

Organizations must provide this functionality by July 1, 2024.

Though specific guidelines in regards to the mechanism itself are not yet available, the CPA states this opt-out mechanism must meet the technical requirements outlined by the Colorado Attorney General. Those requirements will be made available by July 1, 2023.

The CPA requires that data controllers must obtain consent in a way that is “affirmative, informed, and clear.”

Gathering consent cannot rely on users, “accepting general terms of use, use of dark patterns, or hovering over, muting, pausing, or closing content.”

Put simply, it must be clear to a user they are agreeing to their personal data being collected, stored, or used.

Implementing consent requirements often calls for consent managers, like cookie banners, that allow users to choose what, if any, personal data tracking they will allow while on a site.

Create workflows for responding to data subject requests

As the CPA grants consumers the right to access, correct, verify, and delete their personal data, organizations must implement a way to fulfill those requests.

Many organizations rely on manual processes that involve a privacy@ email address, spreadsheets for tracking request status, and a person (or two) whose job it is to field the requests. Once a request is logged, that person must then track down personal data across dispersed systems, package the data, and then send it back to the consumer.

These manual privacy workflows are inefficient, insecure, and unscalable. Organizations should look at implementing an automated privacy request platform that streamlines the request process, while enabling end-to-end security for sensitive data.

Revise privacy policies

A clear, actionable privacy policy is your organization’s best friend when it comes to building a sustainable, effective privacy program.

Publishing a comprehensive policy not only ensures your company is thinking through all the necessary components for compliance, it also gives your customers the information they need to fulfill their data rights.

Using concise language is a best practice. This helps, again, with giving customers the info they need–helping to forestall many of the questions that may pop up if your privacy policy is rife with legalese.

Another good guideline is to provide as many self-serve options in your policy as possible. Include links to your consent manager if you have one, as well as your privacy request center.

If you don’t have an automated request center, include instructions on how a user can request or access their data, as well as an outline for what happens after they do.

Conclusion

While the Colorado Privacy Act does not take effect until July 2023, entities doing business in Colorado, or targeting their services and products to Colorado consumers should take steps now to prepare.

Despite not being an exact replica, businesses can look to California’s data privacy law for guidance. Because the CCPA is already in effect, businesses can get an idea as to how Colorado’s data privacy law might work in practice and how they can get ahead on compliance.

Additional Resources


About Transcend

If your organization has been impacted by the Colorado Privacy Act or other consumer data laws, Transcend can help you ensure compliance. Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.

More articles from Transcend

Pioneering data privacy across digital analytics with Transcend and Amplitude

As our world becomes more and more digital, companies track an increasing amount of user behavior to help products run efficiently and provide insights to their teams.

January 5th, 2022 · 1 min read

Better Together: Cross-functional privacy wins and how to replicate them in 2022

Recapping Transcend's end-of-year breakfast with Whitney Merrill of Asana, Nishant Bhajaria of Uber, and Transcend CEO Ben Brook – celebrating the partnership between privacy engineering and legal.

December 22nd, 2021 · 6 min read

Privacy XFN

Sign up for Transcend's weekly privacy newsletter.

San Francisco, California Copyright © 2022 Transcend, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Link to $https://twitter.com/transcend_ioLink to $https://www.linkedin.com/company/transcend-io/Link to $https://github.com/transcend-io