Everything You Need to Know About the Colorado Privacy Act (CPA)

On July 7, 2021, Colorado Governor Jared Polis signed The Colorado Privacy Act (SB 190) into law, just a month after the bill was passed by the Colorado House of Representatives. The Colorado Privacy Act (CPA) marks the third state to pass comprehensive privacy law in the United States, following California’s California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA).

In this article, we’ll outline the most salient points of Colorado’s new privacy legislation.

What You Need to Know About the Colorado Privacy Act

When does it take effect?

The CPA will go into effect on July 1^st, 2023.              

What rights do Colorado residents have under the CPA?

The CPA outlines several new consumer rights for Colorado residents including:

• Right to Opt-Out. The right to opt-out of the processing of personal data for the purposes of advertising, profiling, and the sale of personal data.
• Right to Access. Consumers have the right to confirm whether or not a controller is processing their data, and to access their own data.
• Right to Deletion. The right to delete personal data collected by a controller or processor.
• Right to Correction. The right to correct inaccuracies in personal data.
• Right to Data Portability. The right to obtain personal data in a portable and readily usable format.

If those rights seem familiar, that’s because they closely mirror some of the rights outlined in the EU’s General Data Protection Regulation (GDPR), as well as the CCPA and the CDPA.

Notably, the CPA requires a universal opt-out mechanism, which will let customers opt-out of data tracking on websites with a single click, rather than having to navigate sub-menus to turn off specific tracking capabilities.

Colorado’s privacy law does not include a private right of action (PRA).

How are Processors and Controllers defined under the CPA?

Colorado’s bill took another cue from the GDPR in outlining definitions of data “processors” and data “controllers.” The bill defines a controller as “a person that, alone or jointly with others, determines the purposes and means of processing personal data.” A processor is defined as a person or business that “processes personal data on behalf of a controller.”

What responsibilities do businesses have under the CPA?

In addition to outlining definitions of Controller and Processor, the CPA specifies how controllers fulfill their customer's assertations of their rights and sets forth guidelines on purpose specification, transparency, avoiding unlawful discrimination, data minimization, and more.

The CPA also stipulates that controllers must conduct a data protection assessment for each data processing activity involving personal data which presents “a heightened risk of harm to consumers,” like targeted advertisement, consumer profiling, or the sale and processing of personally identifiable information (PII).

Who does it apply to?

The CPA will apply to any business that conducts business or produces commercial products or services that are targeted at Colorado residents and which either control or process data of at least 100,000 consumers per year or derive revenue from the sale of personal data and control or process data of at least 25,000 customers. The CPA is applicable even when a company derives less than 50% of its revenue from selling data.           

How Does Enforcement Work?        

Enforcement of the CPA falls to Colorado’s attorney general and district attorneys. Once the attorney general or district attorney has decided to start an action against a controller, the office must provide them notice. The controller then has a 60-day cure period in which they must remediate the violation. This cure period is not a permanent provision of the law, and will no longer be required as of January 1, 2025.

The CPA does not outline any fines for violations. Any violation of the CPA is considered a deceptive trade practice under Colorado law, and penalties are therefore governed by the Colorado Consumer Protection Act. Under the CCPA, a non-compliant business can be fined up to $20,000 per violation.

You can read the full text of the bill here.

How Ensighten Can Help

The CPA is just the latest in a string of state laws that bring new rights to consumers while pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the Colorado Privacy Act, as well as the CCPA, CDPA, and GDPR.

With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted opt-out of sale links for Colorado consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Ensighten CMP+ is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3^rd party tags.

Request a demo to see how Ensighten can help your organization meet compliance with the Colorado Privacy Act.