Colorado Privacy Act Compliance FAQ

Collapsible content

What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021 by Governor Jared Polis. It is set to take effect on July 1, 2023.

Colorado becomes the third state, following Virginia and California, to pass comprehensive data privacy legislation. The CPA draws inspiration from the European Union's General Data Protection Regulation (GDPR), as well as the California Privacy Rights Act (CPRA), California Consumer Privacy Act (CCPA), and Virginia Consumer Data Protection Act (VCDPA).

The CPA grants consumers the right to know, control, and delete their personal information. It applies to Colorado residents in their individual or household contexts, excluding individuals in commercial or employment settings, job applicants, and beneficiaries of someone in an employment context.

Under the CPA, personal data is broadly defined as information linked to an identifiable individual, excluding de-identified or publicly available information. Sensitive data includes categories such as race, religion, health conditions, sexual orientation, citizenship, and biometric data.

Failure to comply with the Colorado Privacy Act will create fines up to $20,000 per violation.

When does the CPA go into effect?

The Colorado Privacy Act will go into effect on July 1, 2023. As this date approaches, it becomes increasingly crucial for businesses to prepare and ensure their compliance with the CPA's requirements. Denver Privacy Solutions is well-versed in the nuances of the act and can guide you through the process with confidence.

Why is the CPA a thing?

The CPA grants essential rights to Colorado residents, empowering them to control their personal data. These rights include:

  1. Opting out of targeted advertising.
  2. Opting out of the sale of their personal data.
  3. Opting out of certain types of profiling.

Starting from July 1, 2023, controllers must honor user-selected universal opt-outs for targeted advertising and sales. Colorado residents also have the rights to access, correct, and delete their personal data, as well as the right to data portability. Controllers are generally required to respond to consumer requests within 45 days, ensuring transparency and accountability.

What businesses does the Colorado Privacy Act apply to?

The Colorado Privacy Act (CPA) applies to businesses known as "controllers" that engage in commercial activities within Colorado or provide commercial products or services intentionally targeted to Colorado residents. There are two criteria for coverage:

  1. Controllers who control or process the personal data of 100,000 or more consumers during a calendar year.
  2. Controllers who derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 or more consumers.

It's important to note that "consumers" under the CPA refers specifically to Colorado residents in an individual or household context. It does not include residents acting in a commercial or employment capacity. Additionally, it's essential to understand that data collection extends beyond information gathered solely by your business website. It also encompasses third-party cookie trackers, plugins, and connected software associated with your website.

Unlike the California Consumer Privacy Act (CCPA), the CPA does not have a specific monetary threshold for applicability, such as the CCPA's $25,000,000 annual gross revenue threshold. Additionally, the CPA's consumer thresholds of 100,000 and 25,000 apply to both controlled and processed personal data. The CPA defines "process" to include not just data collection but also its storage. This means that businesses must consider the data they or their third party cookies currently store, not just the data collected annually on their website, when determining applicability.

I'm not sure if the Colorado Privacy Act applies to me. How do I find out if it does?

The easiest solution is to contact us. Make sure to provide your website url with a phone number and email address so our experts can go to your website and find out.

Even if you believe that the Colorado Privacy Act does not apply to your situation, we strongly advise consulting our experts. It is a common misconception where people think that because they don't get 100,000 and 25,000 customers or visitors on their site so the CPA doesn't affect them, and such oversight can lead to future complications and challenges. Seek our guidance to avoid potential headaches down the line.

I don't think my business is a controller or processor as defined in the CPA, am I good to go?

Even if you believe that the Colorado Privacy Act does not apply to your situation, we strongly advise consulting our experts. The 100,000 and 25,000 numbers get misinterpreted often putting your business at risk.

Further, apart from the Colorado Privacy Act, there are other statutes that entities need to be aware of to ensure comprehensive compliance. To learn more about this please refer to section 6 of our article on how to get compliant with the Colorado Privacy Act. While these statutes may not apply to all businesses covered by the .Colorado Privacy Act, it's essential to review them to determine their relevance to your operations.

What if I don't comply with the CPA?

Violators of the CPA may face fines ranging from $2,000 to $20,000 per violation. It's crucial to understand that CPA violations could also lead to potential criminal charges in addition to monetary penalties.

While the specific penalties and fines for CPA violations are not explicitly outlined in the regulation itself, it's important to note that such violations are deemed deceptive trade practices under the Colorado Consumer Protection Act. As a result, the enforcement of penalties will follow the provisions of this act.

How will the Colorado Privacy Act get enforced?

Enforcement of the CPA is carried out by the Colorado Attorney General and district attorneys, who hold exclusive authority to enforce the act. They have the power to seek injunctive relief and impose significant monetary damages. It's important to note that there is no private right of action under the CPA.

Initially, the Attorney General or district attorneys will issue a notice of violation, allowing entities a 60-day period to rectify the alleged violation. This provision, known as the "right to cure," will be in effect until January 1, 2025. Controllers can also seek opinion letters and interpretative guidance from the Attorney General's office to ensure compliance.

How can businesses comply with the CPA?

To comply with the CPA, businesses must:

Provide Colorado residents with notice: Businesses must provide Colorado residents with a clear and conspicuous notice that describes their data processing practices, including the categories of personal information they collect, the purposes for which they use that information, and the categories of third parties with whom they share that information.

Obtain consent: Businesses must obtain Colorado residents' consent before processing their sensitive personal information, such as health information, financial information, or information about race or ethnicity.

Provide access, correction, and deletion rights: Businesses must provide Colorado residents with the right to access, correct, and delete their personal information. Businesses must also provide Colorado residents with the right to opt-out of the sale of their personal information.

Ensure data security: Businesses must implement reasonable security measures to protect personal information from unauthorized access, destruction, use, modification, or disclosure.

Appoint a privacy officer: Businesses must appoint a privacy officer who is responsible for ensuring compliance with the CPA.