Who needs to comply with the Colorado Privacy Act?

The Colorado Privacy Act (CPA) takes inspiration from established privacy regulations like the Virginia CDPA, California's CCPA and CPRA, and the influential GDPR from the EU. 

It combines these influences with its own unique features, making it a noteworthy legislation that demands attention. Let's dive into the key aspects of who must comply with the CPA:

  • Controllers: The CPA focuses primarily on "controllers," which refers to individuals or entities that determine the purposes and methods of processing personal data. The act applies to controllers conducting business in Colorado or targeting Colorado residents with goods or services. However, specific thresholds must be met for businesses to fall under the CPA's scope.
  • Consumers: According to the CPA, "consumers" are defined as Colorado residents acting in their individual or household capacities. It's important to note that individuals operating in a business or work context, job candidates, and beneficiaries of commercial or employment-related activities are not considered "consumers" under the CPA.
  • Personal Data: The CPA defines "personal data" as information reasonably linked to an identifiable individual. However, de-identified data (where personal identifying information is removed) and publicly available information are not included in this definition.

Compliance with privacy regulations doesn't have to be an overwhelming task. It presents an opportunity for businesses to build trust with their customers and demonstrate their commitment to protecting privacy. At Denver Privacy Solutions, we can assist you on your compliance journey. Explore our article on achieving compliance with the Colorado Privacy Act or schedule a consultation with one of our experts today!

Frequently Asked Questions

What is the Colorado Privacy Act?

The Colorado Privacy Act is a comprehensive privacy law that sets rules for how businesses collect, use, and share personal information about Colorado residents. The law defines personal information as any information that is linked or reasonably linkable to an identified or identifiable individual, and includes things like name, address, email address, and social security number.

Who does the CPA apply to?

The CPA applies to businesses that conduct business in Colorado or target Colorado residents with their products or services and meet one of the following criteria:

Controls or processes the personal data of at least 100,000 Colorado residents per year

Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado residents per year

The law also applies to third-party service providers that process personal information on behalf of covered businesses.

When does the CPA go into effect?

The CPA goes into effect on July 1st, 2023.

Why is the CPA a thing?

The CPA is intended to provide Colorado residents with greater control over their personal data and to give them the ability to access, correct, and delete that data. The law is also designed to promote transparency in data processing practices and to ensure that businesses that collect, process, and share personal information are held accountable for their actions.

How can businesses comply with the CPA?

To comply with the CPA, businesses must:

Provide Colorado residents with notice: Businesses must provide Colorado residents with a clear and conspicuous notice that describes their data processing practices, including the categories of personal information they collect, the purposes for which they use that information, and the categories of third parties with whom they share that information.

Obtain consent: Businesses must obtain Colorado residents' consent before processing their sensitive personal information, such as health information, financial information, or information about race or ethnicity.

Provide access, correction, and deletion rights: Businesses must provide Colorado residents with the right to access, correct, and delete their personal information. Businesses must also provide Colorado residents with the right to opt-out of the sale of their personal information.

Ensure data security: Businesses must implement reasonable security measures to protect personal information from unauthorized access, destruction, use, modification, or disclosure.

Appoint a privacy officer: Businesses must appoint a privacy officer who is responsible for ensuring compliance with the CPA.